Read off by one bug

[Sami Väisänen]

Hi,

there appears to be a read off by one bug. Not sure if this has been posted before, couldnt find anything quickly. So I think i'll rather double post. :)

Anyway, the problem is that in TiXmlBase::ReadText p is incremented by strlen(endTag). If the end tag was never found (*p == 0) this will increment the pointer to point past the end of input buffer. (And it is read later on).

so in ReadText
    // as before

    if ( p  && *p )
    {
        assert(StringEqual(p, endTag, caseInsensitive, encoding));
        p += strlen( endTag );
        return p;
    }
    // end tag was not found!
    return 0;

and then in TiXmlAttribute::Parse

   if ( *p == SINGLE_QUOTE )
    {
        ++p;
        end = "\'";     // single quote in string
        p = ReadText( p, &value, false, end, false, encoding );
        if (!p)
        {
            if (document) document->SetError(TIXML_ERROR_READING_ATTRIBUTES, p, data, encoding);
            return 0;
        }
    }
    else if ( *p == DOUBLE_QUOTE )
    {
        ++p;
        end = "\"";     // double quote in string
        p = ReadText( p, &value, false, end, false, encoding );
        if (!p)
        {
            if (document) document->SetError(TIXML_ERROR_READING_ATTRIBUTES, p, data, encoding);
            return 0;
        }
    }

This bug was exposed by the fuzz test, but why wasnt it fixed?

Cheers,
-Sami

[Lee Thomason]

Should be in the "bugs" section - I moved it there.

lee