You are viewing a plain text version of this content. The canonical link for it is here.

Posted to c-dev@xerces.apache.org by "Scott Colcord (JIRA)" <xe...@xml.apache.org> on 2010/04/20 21:54:53 UTC

[jira] Created: (XERCESC-1921) Buffer overflow in XMLString::replaceTokens()

Buffer overflow in XMLString::replaceTokens()
---------------------------------------------

                 Key: XERCESC-1921
                 URL: https://issues.apache.org/jira/browse/XERCESC-1921
             Project: Xerces-C++
          Issue Type: Bug
          Components: Utilities
         Environment: Probably any C++ Environment
            Reporter: Scott Colcord


The function XMLString::replaceTokens() does not take its terminating NULL into account when comparing with the maxChars limit passed by the caller.  Consequently, when passed a too-large string, it will overwrite one XMLCh after the buffer.

It should be changed to test (curOutInd+1 < maxChars), and increment curOutInd when setting the null.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[jira] Commented: (XERCESC-1921) Buffer overflow in XMLString::replaceTokens()

Posted by "Scott Colcord (JIRA)" <xe...@xml.apache.org>.

    [ https://issues.apache.org/jira/browse/XERCESC-1921?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859364#action_12859364 ] 

Scott Colcord commented on XERCESC-1921:
----------------------------------------

I ran into this via a call from the Xalan-C library in <http://svn.apache.org/repos/asf/xalan/c/trunk/src/xalanc/PlatformSupport/XalanMessageLoader.cpp>.  One of the XalanMessageLoader::load() overloads there is calling XMLString::replaceTokens(), and not properly accounting for the NULL.  I will re-file this issue against Xalan-C.

In general, I do think that it would be better not to require the caller to account for the NULL, under the principle that the easiest way to call a function should also be the correct way, but you're right; it correctly documents its current behavior.

> Buffer overflow in XMLString::replaceTokens()
> ---------------------------------------------
>
>                 Key: XERCESC-1921
>                 URL: https://issues.apache.org/jira/browse/XERCESC-1921
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: Utilities
>         Environment: Probably any C++ Environment
>            Reporter: Scott Colcord
>
> The function XMLString::replaceTokens() does not take its terminating NULL into account when comparing with the maxChars limit passed by the caller.  Consequently, when passed a too-large string, it will overwrite one XMLCh after the buffer.
> It should be changed to test (curOutInd+1 < maxChars), and increment curOutInd when setting the null.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org

[jira] Closed: (XERCESC-1921) Buffer overflow in XMLString::replaceTokens()

Posted by "Boris Kolpackov (JIRA)" <xe...@xml.apache.org>.

     [ https://issues.apache.org/jira/browse/XERCESC-1921?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Boris Kolpackov closed XERCESC-1921.
------------------------------------

    Resolution: Invalid

Scott, the documentation for replaceTokens specifies that the buffer should be maxChars + 1 long to accommodate for the null terminator. While this interface is not ideal, this function is internal so I am not sure whether it makes sense to change it. I have audited all the places it is called from and they all make sure to allocate extra character in the buffer. Please reopen this issue if you see an actual buffer overrun.

> Buffer overflow in XMLString::replaceTokens()
> ---------------------------------------------
>
>                 Key: XERCESC-1921
>                 URL: https://issues.apache.org/jira/browse/XERCESC-1921
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: Utilities
>         Environment: Probably any C++ Environment
>            Reporter: Scott Colcord
>
> The function XMLString::replaceTokens() does not take its terminating NULL into account when comparing with the maxChars limit passed by the caller.  Consequently, when passed a too-large string, it will overwrite one XMLCh after the buffer.
> It should be changed to test (curOutInd+1 < maxChars), and increment curOutInd when setting the null.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org