[xml] Long patterns with xmlTextReaderPreservePattern make xmlFreeTextReader crash

From: "Patrick Streule" <patrick streule ixos ch>
To: <xml gnome org>
Subject: [xml] Long patterns with xmlTextReaderPreservePattern make xmlFreeTextReader crash
Date: Wed, 12 Jan 2005 20:09:12 +0100

Hi.

In my case, code analogous to the one in example 'reader3.c' makes
'xmlFreeTextReader' crash when I use long patterns, e.g. 
/ISUBusinessPartner/ISUAccounts/ISUAccount/ISUContracts/ISUContract/ISUI
nstallation/ISUMeterReaders/ISUMeterReader/SerialId
(shorter patterns work).

The code stripped to its minimum:

pReader = xmlReaderForMemory(...);
xmlTextReaderPreservePattern(pReader, (xmlChar*)pszXPath, NULL) //
returns XML_ERR_OK
...
xmlFreeTextReader(pReader);

Called with the pattern mentioned above, the following values can be
observed after the call to 'xmlTextReaderPreservePattern':

pReader->patternTab[0]->nbStep has the value 11
pReader->patternTab[0]->maxStep has the value 10

On clean-up, xmlFreeTextReader calls xmlFreePattern, which relies upon
the value of nbStep (=11):

   for (i = 0;i < comp->nbStep;i++) {
        op = &comp->steps[i];
        if (op->value != NULL)
            xmlFree((xmlChar *) op->value);
        if (op->value2 != NULL)
            xmlFree((xmlChar *) op->value2);
    }

Accessing comp->steps[10] is not allowed and leads to a crash in
xmlFree. 

I am still using libxml2 version 2.6.5, but the above mentioned code
doesn't seem to have changed in 2.6.16. Is there a way to check this
condition beforehand? Or to set the limit higher?

Thanks for any help.
Patrick

Follow-Ups:
- Re: [xml] Long patterns with xmlTextReaderPreservePattern make xmlFreeTextReader crash
  - From: Daniel Veillard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]