#131 Hang while parsing 0xef00

open
nobody
None
5
2013-04-29
2013-04-29
No

These two samples (xxd format):

0000000: 3c3f 786d 6c3e 3c68 206f 3d22 ef00 3e22 <?xml><h o="..>"
0000010: 0a

0000000: 3c3f 786d 6c3e 3c6d 3eef 006c 3c66 <?xml><m>..l<f

will hang TinyXml in the Stamp function:

#0 0x0000000000401f21 in TiXmlParsingData::Stamp (this=0x7fffffffd7f0, now=0x6122bc "<f", encoding=TIXML_ENCODING_UTF8)
at ../tinyxml/tinyxmlparser.cpp:212
#1 0x0000000000403b0a in TiXmlElement::Parse (this=0x6124a0, p=0x6122bc "<f", data=0x7fffffffd7f0, encoding=TIXML_ENCODING_UTF8)
at ../tinyxml/tinyxmlparser.cpp:1056
#2 0x00000000004041ab in TiXmlElement::ReadValue (this=0x612340, p=0x6122bc "<f", data=0x7fffffffd7f0,
encoding=TIXML_ENCODING_UTF8) at ../tinyxml/tinyxmlparser.cpp:1229
#3 0x0000000000403d08 in TiXmlElement::Parse (this=0x612340, p=0x6122b9 <incomplete sequence \357>, data=0x7fffffffd7f0,
encoding=TIXML_ENCODING_UTF8) at ../tinyxml/tinyxmlparser.cpp:1109
#4 0x0000000000402f56 in TiXmlDocument::Parse (this=0x7fffffffd940, p=0x6122b6 "<m", <incomplete sequence \357>, prevData=0x0,
encoding=TIXML_ENCODING_UTF8) at ../tinyxml/tinyxmlparser.cpp:759
#5 0x0000000000408469 in TiXmlDocument::LoadFile (this=0x7fffffffd940, file=0x612070, encoding=TIXML_ENCODING_UNKNOWN)
at ../tinyxml/tinyxml.cpp:1077
#6 0x0000000000408148 in TiXmlDocument::LoadFile (this=0x7fffffffd940, _filename=0x612028 "m", encoding=TIXML_ENCODING_UNKNOWN)
at ../tinyxml/tinyxml.cpp:975
#7 0x0000000000408082 in TiXmlDocument::LoadFile (this=0x7fffffffd940, encoding=TIXML_ENCODING_UNKNOWN)
at ../tinyxml/tinyxml.cpp:956

The 0xef goes into the switch case:
case TIXML_UTF_LEAD_0:
which doesn't increment p (or return) if *(p+1) is NULL.

I think it should return? (like the NULL case handled earlier?)

Discussion


Log in to post a comment.