[ http://issues.apache.org/jira/browse/XERCESC-1637?page=comments#action_12440307 ] Graham Bennett commented on XERCESC-1637: -----------------------------------------
I can reproduce the problem with the following simple xml file: <?xml version="1.0"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> ]> <foo> <bar xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="bar.xsd">aaa</bar> </foo> Where bar.xsd contains: <?xml version="1.0"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <xsd:element name="bar" type="xsd:string" fixed="aaa"/> </xsd:schema> The problem appears to be that the scanner initially chooses a DTDElementDecl object for the bar element, but by the time it gets to scanEndTag it has decided that the element has a schema grammar and so it does: if(!isRoot && fGrammarType == Grammar::SchemaGrammarType) ((SchemaElementDecl *)fElemStack.topElement()->fThisElement)->updateVal\idityFromElement(topElem->fThisElement, fGrammarType); However fThisElement is actually a DTDElementDecl object, so the cast is invalid and a memory error results. > Purify reports ABW (Array Bounds Write) errors during validation > ---------------------------------------------------------------- > > Key: XERCESC-1637 > URL: http://issues.apache.org/jira/browse/XERCESC-1637 > Project: Xerces-C++ > Issue Type: Bug > Components: Validating Parser (DTD), Validating Parser (Schema) > (Xerces 1.5 or up only) > Affects Versions: 2.3.0 > Environment: Red Hat Enterprise Linux AS release 3 (Taroon Update 4) > Linux paias1011 2.4.21-32.0.1.EL.msdwhugemem #1 SMP Mon Dec 5 21:32:44 EST > 2005 i686 i686 i386 GNU/Linux > gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-42) > Reporter: Graham Bennett > > We are experiencing crashes using xerces with a custom memory allocator, and > the root cause of the crashes appears to be some invalid memory writes during > parsing. Purify reports the errors as follows: > ABW: Array bounds write > This is occurring while in thread 2374: > > xercesc_2_3::SchemaElementDecl::updateValidityFromElement(xercesc_2_3::XMLElementDecl > const*, xercesc_2_3::Grammar::GrammarType) [SchemaElementDecl.hpp:873] > xercesc_2_3::IGXMLScanner::scanEndTag(bool&) > [IGXMLScanner.cpp:1075] > xercesc_2_3::IGXMLScanner::scanContent(bool) > [IGXMLScanner.cpp:840] > xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource > const&) [IGXMLScanner.cpp:209] > Writing 1 byte to 0x81da630 in the heap. > Address 0x81da630 is 41 bytes past end of a malloc'd block at 0x81da5d0 > of 56 bytes. > This block was allocated from thread -185921408: > malloc [rtlib.o] > operator new(unsigned) [new_op.cc:48] > xercesc_2_3::MemoryManagerImpl::allocate(unsigned) > [MemoryManagerImpl.cpp:75] > xercesc_2_3::XMemory::operator new(unsigned, > xercesc_2_3::MemoryManager*) [XMemory.cpp:92] > xercesc_2_3::DTDScanner::scanElementDecl() [DTDScanner.cpp:1863] > xercesc_2_3::DTDScanner::scanMarkupDecl(bool) > [DTDScanner.cpp:3287] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2667] > xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) > [DTDScanner.cpp:514] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2719] > xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) > [DTDScanner.cpp:514] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2719] > xercesc_2_3::IGXMLScanner::scanDocTypeDecl() > [IGXMLScanner.cpp:1403] > xercesc_2_3::XMLScanner::scanProlog() [XMLScanner.cpp:1180] > xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource > const&) [IGXMLScanner.cpp:198] > > ABW: Array bounds write > This is occurring while in thread 2374: > > xercesc_2_3::SchemaElementDecl::updateValidityFromElement(xercesc_2_3::XMLElementDecl > const*, xercesc_2_3::Grammar::GrammarType) [SchemaElementDecl.hpp:880] > xercesc_2_3::IGXMLScanner::scanEndTag(bool&) > [IGXMLScanner.cpp:1075] > xercesc_2_3::IGXMLScanner::scanContent(bool) > [IGXMLScanner.cpp:840] > xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource > const&) [IGXMLScanner.cpp:209] > Writing 1 byte to 0x81da632 in the heap. > Address 0x81da632 is 43 bytes past end of a malloc'd block at 0x81da5d0 > of 56 bytes. > This block was allocated from thread -185921408: > malloc [rtlib.o] > operator new(unsigned) [new_op.cc:48] > xercesc_2_3::MemoryManagerImpl::allocate(unsigned) > [MemoryManagerImpl.cpp:75] > xercesc_2_3::XMemory::operator new(unsigned, > xercesc_2_3::MemoryManager*) [XMemory.cpp:92] > xercesc_2_3::DTDScanner::scanElementDecl() [DTDScanner.cpp:1863] > xercesc_2_3::DTDScanner::scanMarkupDecl(bool) > [DTDScanner.cpp:3287] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2667] > xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) > [DTDScanner.cpp:514] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2719] > xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) > [DTDScanner.cpp:511] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2719] > xercesc_2_3::IGXMLScanner::scanDocTypeDecl() > [IGXMLScanner.cpp:1403] > xercesc_2_3::XMLScanner::scanProlog() [XMLScanner.cpp:1180] > xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource > const&) [IGXMLScanner.cpp:198] > ABW: Array bounds write > This is occurring while in thread 2374: > > xercesc_2_3::SchemaElementDecl::setXsiComplexTypeInfo(xercesc_2_3::ComplexTypeInfo*) > [SchemaElementDecl.hpp:811] > xercesc_2_3::IGXMLScanner::scanEndTag(bool&) > [IGXMLScanner.cpp:1093] > xercesc_2_3::IGXMLScanner::scanContent(bool) > [IGXMLScanner.cpp:840] > xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource > const&) [IGXMLScanner.cpp:209] > Writing 4 bytes to 0x81da614 in the heap. > Address 0x81da614 is 13 bytes past end of a malloc'd block at 0x81da5d0 > of 56 bytes. > This block was allocated from thread -185921408: > malloc [rtlib.o] > operator new(unsigned) [new_op.cc:48] > xercesc_2_3::MemoryManagerImpl::allocate(unsigned) > [MemoryManagerImpl.cpp:75] > xercesc_2_3::XMemory::operator new(unsigned, > xercesc_2_3::MemoryManager*) [XMemory.cpp:92] > xercesc_2_3::DTDScanner::scanElementDecl() [DTDScanner.cpp:1863] > xercesc_2_3::DTDScanner::scanMarkupDecl(bool) > [DTDScanner.cpp:3287] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2667] > xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) > [DTDScanner.cpp:514] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2719] > __wcstold_internal [libc.so.6] > xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) > [DTDScanner.cpp:2719] > xercesc_2_3::IGXMLScanner::scanDocTypeDecl() > [IGXMLScanner.cpp:1403] > xercesc_2_3::XMLScanner::scanProlog() [XMLScanner.cpp:1180] > xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource > const&) [IGXMLScanner.cpp:198] > I have confirmed that the problem is not present in 2.7.0. Unfortunately for > the applications experiencing this error it is not possible to upgrade to > 2.7.0 in the short to medium term, so we would like to try to get a patch for > this in 2.3.0. Are there any known issues that might cause errors in this > area? > Our xerces installation is built from source, and the document is parsed > using the SAX builder with validation enabled. > We have a reproducible test case, but the source XML does contain some > proprietary information so I have not supplied it at this time. It may be > possible to remove said information if necessary. > Graham -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]