#381 storeAtts can trash tempPool

Test Required
closed-fixed
None
5
2006-01-13
2005-06-15
No

I ran into what I think is a bug in storeAtts. While
looping over appAtts there's a small optimization to
bail out early when nPrefixes is 0. The code then loops
over the remaining attributes and does |((XML_Char
*)(appAtts[i]))[-1] = 0;|. The problem is that because
of the early bail out i didn't get incremented, and
just before bailing out the code sets |appAtts[i] = s;|
with s coming out of the tempPool, so in the second
loop we end up nulling some memory inside the tempPool.
One solution consists in incrementing i just before
bailing out (I'm attaching a patch that does this).
Another solution would be to make the first loop be
|for (; nPrefixes && i < attIndex; i += 2) {| and drop
the early bail-out.

Discussion

  • Proposed fix

     
    Attachments
  • Karl Waclawek
    Karl Waclawek
    2005-06-15

    Logged In: YES
    user_id=290026

    I believe you are correct.
    Fixed in xmlparse.cs rev. 1.148.

    Need to run a few tests with namespaces on.

     
  • Karl Waclawek
    Karl Waclawek
    2005-06-15

    • milestone: --> Test Required
    • assigned_to: nobody --> fdrake
    • status: open --> open-fixed
     
  • Karl Waclawek
    Karl Waclawek
    2006-01-13

    • status: open-fixed --> closed-fixed
     
  • Karl Waclawek
    Karl Waclawek
    2006-01-13

    Logged In: YES
    user_id=290026

    Since Fred is not active anymore, there is no-one to write a
    test case. Closing the issue.