You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by "Scott Cantor (Jira)" <xe...@xml.apache.org> on 2019/12/30 17:07:00 UTC

[jira] [Resolved] (XERCESC-2126) Type Confusion from DTDGrammar to SchemaGrammar

     [ https://issues.apache.org/jira/browse/XERCESC-2126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Cantor resolved XERCESC-2126.
-----------------------------------
    Resolution: Fixed

> Type Confusion from DTDGrammar to SchemaGrammar
> -----------------------------------------------
>
>                 Key: XERCESC-2126
>                 URL: https://issues.apache.org/jira/browse/XERCESC-2126
>             Project: Xerces-C++
>          Issue Type: Bug
>          Components: DOM
>    Affects Versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.1.3, 3.1.4, 3.2.1, 3.2.2
>         Environment: Ubuntu 16.04 LTS, Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz, 16GB
>            Reporter: Yuseok Jeon
>            Assignee: Scott Cantor
>            Priority: Major
>             Fix For: 3.2.3
>
>         Attachments: Xerces-C++ Type confusion Report.pdf
>
>
> Hi all,
> Our type confusion detection tool reports a type_confusion error in the "xercesc/validators/schema/SchemaValidator.cpp"
> xercesc/validators/schema/SchemaValidator.cpp line 772 
> 756 void SchemaValidator::preContentValidation(bool, bool validateDefAttr)
> 758 {
> 769    RefHashTableOfEnumerator<Grammar> grammarEnum = fGrammarResolver->getGrammarEnumerator();
> 770    while (grammarEnum.hasMoreElements())
> 771    {
> {color:red}772        SchemaGrammar& sGrammar = (SchemaGrammar&) grammarEnum.nextElement();{color}
> 773        if (sGrammar.getGrammarType() != Grammar::SchemaGrammarType || sGrammar.getValidated())
> 774             continue;
>                  ……………
>           }
> In the line 772, grammarEnum.nextElement() indicates object allocated as DTDGrammar, and it is casted into SchemaGrammar. However, since SchemaGrammar is not a subobject of DTDGrammar, it is violating C++ standard rules 5.2.9/11 (down casting is undefined if the object that the pointer to be casted points to is not a suboject of down casting type) and causes undefined behaviors.
> There are similar type-confusion cases as below links.
> - (Xerces-c++) https://issues.apache.org/jira/browse/XERCESC-2088
> - (libstdc++) https://gcc.gnu.org/bugzilla/show_bug.cgi?id=60734
> - (Firefox) https://bugzilla.mozilla.org/show_bug.cgi?id=1074280
> I attached detail type confusion information.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: c-dev-help@xerces.apache.org