You are viewing a plain text version of this content. The canonical link for it is here.

Posted to j-dev@xerces.apache.org by "Michael Glavassevich (JIRA)" <xe...@xml.apache.org> on 2007/07/07 00:21:04 UTC

[jira] Resolved: (XERCESJ-1257) buffer overflow in UTF8Reader for characters out of BMP

     [ https://issues.apache.org/jira/browse/XERCESJ-1257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Glavassevich resolved XERCESJ-1257.
-------------------------------------------

    Resolution: Fixed

Robert, though your patch does avoid the AIOOBE, it would still allow the Reader to write outside the region of the char buffer it was asked to write into.  Happens if length < ch.length. I committed a different fix [1] which handles this case, writes the high surrogate into the char buffer (since there's still space for it) and saves the low surrogate for the next read.  You should be able to verify it with one of the regular Gump builds [2]. Look for a jar dated after July 6th.  It might take a day or two to show up there.

[1] http://marc.info/?l=xerces-cvs&m=118375899720046&w=2
[2] http://vmgump.apache.org/gump/public-jars/xml-xerces2/jars/

> buffer overflow in UTF8Reader for characters out of BMP
> -------------------------------------------------------
>
>                 Key: XERCESJ-1257
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1257
>             Project: Xerces2-J
>          Issue Type: Bug
>          Components: JAXP (javax.xml.parsers)
>    Affects Versions: 2.9.0
>         Environment: Any
>            Reporter: Robert Stojnic
>            Assignee: Michael Glavassevich
>            Priority: Minor
>         Attachments: TestXerces.java, UTF8Reader.patch
>
>
> There is a ArrayOutOfBoundsException in org.apache.xerces.impl.io.UTF8Reader, in read(char[],int,int) for 4-byte utf-8 chars.
> Imagine a following scenario. read() has a buffer of size N, and it reads N-1 ascii chars, and stores it in the output buffer. Let the Nth char be the first byte of a 4 byte utf-8 char. The other 3 bytes are fetched by invoking read() on the input stream. From these a surrogate pair of java chars is made, however, method does not check if both chars can fit into the output buffer ... In most cases, they would fit into the ouput buffer (e.g. if there are some other multi-byte chars in the fetched text), so the bug is very rare, but it still happens.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org