You are viewing a plain text version of this content. The canonical link for it is here.
Posted to p-dev@xerces.apache.org by bu...@apache.org on 2003/12/22 05:39:42 UTC
DO NOT REPLY [Bug 25686] New: -
Memory access bug in XMLString2Perl()
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25686>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25686
Memory access bug in XMLString2Perl()
Summary: Memory access bug in XMLString2Perl()
Product: Xerces-P
Version: 2.3.0
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: Other
Component: Perl API
AssignedTo: xerces-p-dev@xml.apache.org
ReportedBy: cheungcc@clc.cuhk.edu.hk
Steps to reproduce:
-------------------
1) Used gcc compilation flags "-O0 -ggdb3" in building Xerces-Perl and hence
line number is displayed in the error message of valgrind.
2) Write the following script named "parse.pl"
------------------------------------------
#!/usr/bin/perl -w
use strict;
use XML::Xerces;
my $xmlString = '<?xml version="1.0"?><A><B>Hello</B></A>';
my $parser = XML::Xerces::XercesDOMParser->new();
$parser->parse(XML::Xerces::MemBufInputSource->new($xmlString));
my $doc = $parser->getDocument();
my $root = $doc->getDocumentElement;
print $root->getAttribute("notExist");
-----------------------------------------
3) Run it with valgrind
$ valgrind ./parse.pl
valgrind detected invalid memory access like:
==24771== Invalid write of size 1
==24771== at 0x42F06DEA: XMLString2Perl(unsigned short const*)
(Xerces.cpp:1004)
==24771== by 0x4306E53B: _wrap_DOMElement_getAttribute
(Xerces.cpp:59286)
==24771== by 0x402ACCD5: Perl_pp_entersub (in
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE/libperl.so)
==24771== by 0x402A62E8: Perl_runops_standard (in
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE/libperl.so)
==24771== Address 0x418CD8FC is 0 bytes after a block of size 0 alloc'd
==24771== at 0x40026268: __builtin_vec_new (in
/usr/lib/valgrind/vgskin_memcheck.so)
==24771== by 0x400262C0: operator new[](unsigned) (in
/usr/lib/valgrind/vgskin_memcheck.so)
==24771== by 0x42F06DAE: XMLString2Perl(unsigned short const*)
(Xerces.cpp:995)
==24771== by 0x4306E53B: _wrap_DOMElement_getAttribute
(Xerces.cpp:59286)
Possible cause:
---------------
It seems that
in line 995 of Xerces.cpp:
SV*
XMLString2Perl(const XMLCh* input) {
SV *output;
unsigned int charsEaten = 0;
int length = XMLString::stringLen(input); // string length
XMLByte* res = new XMLByte[length * UTF8_MAXLEN];
// output string
unsigned int total_chars =
UTF8_TRANSCODER->transcodeTo((const XMLCh*) input,
(unsigned int) length,
(XMLByte*) res,
(unsigned int) length*UTF8_MAXLEN,
charsEaten,
XMLTranscoder::UnRep_Throw
);
res[total_chars] = '\0';
The memory to malloc should be (length * UTF8_MAXLEN + 1):
XMLByte* res = new XMLByte[length * UTF8_MAXLEN + 1]; // output
so that the memory for the ending '\0' is not missed.
---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-p-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-p-dev-help@xml.apache.org