I have a segfault in mod_xml2enc.c, xml2enc_ffunc() when processing a
page with big5 charset.
The crash happens in line 472 because ctx->convset is NULL:
rv = apr_xlate_conv_buffer(ctx->convset, buf+(bytes - insz),
&insz, ctx->buf, &ctx->bytes);
The sequence leading to this crash is:
* Call apr_xlate_conv_buffer(...). Return value is APR_INCOMPLETE (_not_
APR_EINCOMPLETE) (probably because the buffer ends in the middle of a
multi-byte character).
* In "switch (rv)" enter the default case, set ctx->convset to NULL, and
despite what the comment says ("Bail out, flush ...") don't bail out,
instead continue with the loop.
* Call apr_xlate_conv_buffer(NULL, ...), crash with a segfault.
2 questions:
(1) Is APR_INCOMPLETE the same as APR_EINCOMPLETE when using the xlate
API? Then the "case APR_EINCOMPLETE" should probably also handle "case
APR_INCOMPLETE".
(2) What's the proper way to bail out from the default case? Just return
or is there anything to consider regarding ctx->bbnext?
Thanks for your help.
