Re: [xml] reporting bug for lixml2.2.6-8

Rich Salz said:
the code. Basically given a pointer to a string the question is whether
that string comes from the dictionnary. To check that the pointer is
to the upper and lower bounds of the memory areas used by the dictionnary.
The pointers are unrelated, that's true, str could come from static memory
heap or stack and not being related to the dictionnaries allocated from heap
the comparison is still legal, harmless and the right thing to do in that
It's also very cheap, i.e. fast.

Being pedantic, you're not allowed to do "ordering tests" on pointers
unless you are sure they are related.  At least not in ANSI/ISO C.

Could you possibly expand somewhat upon this?  Which particular part of the
spec prohibits what type of pointer compare?  And, as I don't have easy access
to the spec (I just don't want to spend the money that ANSI requires to
provide a copy) any snippets which you could provide would be appreciated.

You'd have to explicit check for == or != against every pointer in
the dictionary.

Perhaps someone will offer a patch that does something like
    #define POINTER_WITHIN(ptr, lo, hi) \
        (ptr >= lo && ptr <= ho)
        int pointer_within(void* ptr, void* lo, void* hi)
                char* lop = lo;
                char* hip = hi;
                while (lop <= hip)
                        if (ptr == (void*)lop++) return 1;
                return 0;

you get the idea...

Well, this approach is obviously unacceptable.  The whole purpose of the
dictionary routines is to provide a fast and efficient method of working with
strings, and a serial search does not fit within this criteria.

Actually, referring back to the original post, the relevant compound compare
is supposed to be testing whether a particular xmlChar (i.e. unsigned char)
pointer points within a particular xmlChar array. As Daniel mentioned above,
the subject pointer is being compared to the beginning and ending addresses of
this array (which is guaranteed to be contiguous).  I believe the reason for
the "error" is because the element pool->array is declared as an xmlChar array
of size 1, so the attempted compare is between an xmlChar pointer and an
xmlChar array.  I don't have access to the user's software to prove this, but
I would be willing to put up a (reasonable) wager that changing that statement
    if ((str >= (xmlChar *)&pool->array) && (str <= pool->free))
or even
    if ((str >= &pool->array[0]) && (str <= pool->free))
would make the program happy and would make the problem disappear.

If Pascal could confirm that either of these changes fixes the problem, I
would be happy to change the CVS code accordingly.

Rich Salz                  Chief Security Architect
DataPower Technology
XS40 XML Security Gateway
XML Security Overview


libxml debugger and bugfixer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]