[jira] Commented: (XERCESJ-1398) Supplying document without content-type headers causes entire stream to be buffered in memory, even when using SAX API

Wed, 14 Oct 2009 05:50:59 -0700 

    [ 
https://issues.apache.org/jira/browse/XERCESJ-1398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12765546#action_12765546
 ] 

Michael Glavassevich commented on XERCESJ-1398:
-----------------------------------------------

While I now understand what you're seeing (with some modification that must 
have made to the code to support a "custom" Reader implementation) this is not 
something that is occurring in practice. Xerces has no mechanism to plug in 
alternate Reader implementations. It has its own UTF-8 Reader and it always 
uses it for UTF-8.

> Supplying document without content-type headers causes entire stream to be 
> buffered in memory, even when using SAX API
> ----------------------------------------------------------------------------------------------------------------------
>
>                 Key: XERCESJ-1398
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1398
>             Project: Xerces2-J
>          Issue Type: Bug
>          Components: SAX
>    Affects Versions: 2.9.1
>         Environment: Debian Linux, Sun JDK 1.5.0_20
>            Reporter: Karl Wright
>
> If the parser needs to autodetect the encoding of the input stream, it wraps 
> the input stream using the RewindableInputStream class within 
> XMLEntityManager.  But this class buffers everything that is read from the 
> stream, even after the autodetection is complete (and no possibility of 
> rewind being used exists anymore).  It is therefore trivial to submit XML to 
> xerces2-j which causes an "OutOfMemoryError" exception to be thrown, which 
> could lead to a denial of service under appropriate conditions.
> The fix I created for this involved adding a method "stopBuffering()" to the 
> RewindableInputStream class, which shuts off further buffering by that class. 
>  I call this method when the encoding has been decided upon (i.e. right 
> before createReader is called, everywhere).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org

Reply via email to