[
https://issues.apache.org/jira/browse/XERCESC-1921?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Boris Kolpackov closed XERCESC-1921.
------------------------------------
Resolution: Invalid
Scott, the documentation for replaceTokens specifies that the buffer should be
maxChars + 1 long to accommodate for the null terminator. While this interface
is not ideal, this function is internal so I am not sure whether it makes sense
to change it. I have audited all the places it is called from and they all make
sure to allocate extra character in the buffer. Please reopen this issue if you
see an actual buffer overrun.
> Buffer overflow in XMLString::replaceTokens()
> ---------------------------------------------
>
> Key: XERCESC-1921
> URL: https://issues.apache.org/jira/browse/XERCESC-1921
> Project: Xerces-C++
> Issue Type: Bug
> Components: Utilities
> Environment: Probably any C++ Environment
> Reporter: Scott Colcord
>
> The function XMLString::replaceTokens() does not take its terminating NULL
> into account when comparing with the maxChars limit passed by the caller.
> Consequently, when passed a too-large string, it will overwrite one XMLCh
> after the buffer.
> It should be changed to test (curOutInd+1 < maxChars), and increment
> curOutInd when setting the null.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org
