Re: [xml] Crash in xmlschemas.c when validating XML containing mixed CDATA section

From: Kasimier Buchcik <K Buchcik 4commerce de>
To: Judy Hay <judyhay yahoo com>
Cc: ML-libxml2 <xml gnome org>
Subject: Re: [xml] Crash in xmlschemas.c when validating XML containing mixed CDATA section
Date: Tue, 20 Dec 2005 11:57:08 +0100

Hi,

On Mon, 2005-12-19 at 14:14 -0800, Judy Hay wrote:

Hi,
 
I'm running into a problem with the XML schema validation code when
applied to CDATA sections that happen to have some trailing
whitespace.  It seems to be isolated to cases where a namespace is
being used.
 
The following XML and XSD snippets will cause the crash in the latest
(2.6.22) version of xmllint I have:
 
XML:
<?xml version="1.0" encoding="utf-8"?>
<ex:List xmlns:ex="http://www.foo.com";>
    <ex:Item>
        <![CDATA[A single item]]>
    </ex:Item>
</ex:List>

XSD:
<?xml version="1.0" encoding="utf-8" ?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema";
targetNamespace="http://www.foo.com"; xmlns:ex="http://www.foo.com";
elementFormDefault="qualified" attributeFormDefault="qualified">
    <xs:element name="List" type="ex:ListT"/>
 
    <xs:complexType name="ListT">
        <xs:sequence>
            <xs:element name="Item" type="xs:string" minOccurs="0"
maxOccurs="1"/>
        </xs:sequence>
    </xs:complexType>
</xs:schema>
 
If you remove the whitespace from around the CDATA section, you do not
get a crash and the XML validates just fine.
 
The crash is happening in xmlschemas.c at line 23877 (in
xmlSchemaVPushText).  xmlStrncat is called with a "len" variable that
was passed in from the calling function as -1 (other parts of
xmlSchemaVPushText consider this).  Eventually that -1 gets passed
into a memcpy call by xmlStrncat and causes a seg fault.
 
I don't think this line is ever called if namespaces aren't being used
-- at least, I couldn't reproduce this error in that case.
 
Anyway, I was wondering if this is a known bug and if there are any
plans to fix it in the near future.  Or if I'm just using really bad
XML/XSD and if so, please let me know (well, I don't have any control
over the XML I'm getting, but it would be good to know if there's
something wrong with it, too).


It was a bug. Thank you for the thorough analysis of the problem; it was
easy to spot this way.
We'll now compute the length of the value beforehand, to be on the safe
side in xmlSchemaVPushText().
Additionally we changed xmlStrncat() to return NULL if @len < 0 is
given.

Fixed in CVS, xmlschemas.c revision 1.188.

Thanks for the report!

Regards,

Kasimier

References:
- [xml] Crash in xmlschemas.c when validating XML containing mixed CDATA section
  - From: Judy Hay

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]