[
https://issues.apache.org/jira/browse/XERCESC-2241?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17612153#comment-17612153
]
Even Rouault commented on XERCESC-2241:
---------------------------------------
Fix in https://github.com/apache/xerces-c/pull/51
> Integer overflows in DFAContentModel class
> ------------------------------------------
>
> Key: XERCESC-2241
> URL: https://issues.apache.org/jira/browse/XERCESC-2241
> Project: Xerces-C++
> Issue Type: Bug
> Components: Validating Parser (XML Schema)
> Reporter: Even Rouault
> Priority: Major
>
> On .xsd files like the following ones (generated by ossfuzz, so broken),
> integer overflows can happen in DFAContentModel::countLeafNodes() and
> DFAContentModel::buildDFA() which can later cause out-of-bounds access.
> Found in [https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52025]
>
> ```
> <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";
> xmlns:myns="http://myns";
> targetNamespace="http://myns";
> elementFormDefault="qualified" attributeFormDefault="unqualified">
> <xs:element name="main_elt">
> <xs:complexType>
> <xs:sequence>
> <xs:group ref="myns:mygroup" minOccurs="32767" maxOccurs="1"/>
> </xs:sequence>
> </xs:complexType>
> </xs:element>
> <xs:group name="mygroup">
> <xs:sequence>
> <!-- related to https://issues.apache.org/jira/browse/XERCESC-1051 -->
> <xs:element name="elt" maxOccurs="33333">
> <xs:complexType>
> <xs:sequence>
> ame="x" type="xs:int" maxOccurs="1"/>
> </xs:sequence>
> </xs:complexType>
> </xs:element>
> </xs:sequence>
> </xs:group>
> </xs:schema>
> ```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: c-dev-h...@xerces.apache.org
