[ https://issues.apache.org/jira/browse/XERCESC-1921?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Boris Kolpackov closed XERCESC-1921. ------------------------------------ Resolution: Invalid Scott, the documentation for replaceTokens specifies that the buffer should be maxChars + 1 long to accommodate for the null terminator. While this interface is not ideal, this function is internal so I am not sure whether it makes sense to change it. I have audited all the places it is called from and they all make sure to allocate extra character in the buffer. Please reopen this issue if you see an actual buffer overrun. > Buffer overflow in XMLString::replaceTokens() > --------------------------------------------- > > Key: XERCESC-1921 > URL: https://issues.apache.org/jira/browse/XERCESC-1921 > Project: Xerces-C++ > Issue Type: Bug > Components: Utilities > Environment: Probably any C++ Environment > Reporter: Scott Colcord > > The function XMLString::replaceTokens() does not take its terminating NULL > into account when comparing with the maxChars limit passed by the caller. > Consequently, when passed a too-large string, it will overwrite one XMLCh > after the buffer. > It should be changed to test (curOutInd+1 < maxChars), and increment > curOutInd when setting the null. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. --------------------------------------------------------------------- To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org