Menu
▾
▴
#507 Parser crash with *.xml.tar.gz file as input.
I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127\).
The issue is in updatePosition()
part of call stack :
#0 normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "", end=0x2580b2d00 "", pos=0x2580b3f60)
#1 0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50)
after continue with the above context, the parser crashed.
0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000 <Address 0xd4fa7000 out of bounds>, end=0x2580b2d00 "", pos=0x2580b3f60)
notice the ptr address is out of bounds.
Issue is that ptr is assigned with a far address from "end" pointer address. Say my string length is 3 ("abc") and the ptr address is 1234 and the end address is 9999. In this case, the loop has to iterate for 3 times as my string length is 3, but based on the condition (ptr < end), the loop may iterate (9999-1234) number of times and crashes in between.
void PREFIX(updatePosition)(const ENCODING *enc,
const char *ptr,
const char *end,
POSITION *pos)
{
while (ptr < end ) {
...
}
temporary fix made to fix this issue is by relying on string length.
int str_len = strlen(ptr);
while (ptr < end && str_len--) {
This issue looks similar to https://sourceforge.net/tracker/?func=detail&aid=2855609&group_id=10127&atid=110127
I cannot reproduce the issue with your file.
What version of Expat are you using?
Could you please try the latest source in CVS and let me know if you still have the issue.
I didn't realize that I was using the old version 2.0.1 has these issues. These issues have been fixed in latest source 2.1.0. Sorry about that !