Even Rouault created XERCESC-2241:
-------------------------------------
Summary: Integer overflows in DFAContentModel class
Key: XERCESC-2241
URL: https://issues.apache.org/jira/browse/XERCESC-2241
Project: Xerces-C++
Issue Type: Bug
Components: Validating Parser (XML Schema)
Reporter: Even Rouault
On .xsd files like the following ones (generated by ossfuzz, so broken),
integer overflows can happen in DFAContentModel::countLeafNodes() and
DFAContentModel::buildDFA() which can later cause out-of-bounds access.
Found in [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025]
```
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:myns="http://myns";
targetNamespace="http://myns";
elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:element name="main_elt">
<xs:complexType>
<xs:sequence>
<xs:group ref="myns:mygroup" minOccurs="32767" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:group name="mygroup">
<xs:sequence>
<!-- related to https://issues.apache.org/jira/browse/XERCESC-1051 -->
<xs:element name="elt" maxOccurs="33333">
<xs:complexType>
<xs:sequence>
ame="x" type="xs:int" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:group>
</xs:schema>
```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org
