Re: [xml] Nasty DTD parsing bug (IO buffering, perhaps?)



On Wed, Feb 07, 2007 at 03:20:38PM +1100, Michael Day wrote:
Hi,

Here is a DTD parsing bug in libxml2 (tested with 2.6.27).

Download the following .tar.gz:

     http://www.princexml.com/download/nasty-libxml2-dtd-bug.tar.gz

Unpack it and run:

     $ xmllint --loaddtd bug.xml

You will get lots of error messages, the first one being:

     nlm/references.ent:381: parser error : Comment not terminated

However if you look at the file, you will see that is nonsense, and 
there are no unterminated comments on line 381.

Even worse, if you delete *one character* from the references.ent file 
at *any point* before line 381, then everything works fine!

This appears to be some kind of IO buffering error or something like 
that, as the parser seems to be dependent on how many characters are in 
the file before that point.


  Probably a missing GROW somewhere in the DTD parsing code, please bugzilla
I can't debugs this ATM,

  thanks,

Daniel

-- 
Red Hat Virtualization group http://redhat.com/virtualization/
Daniel Veillard      | virtualization library  http://libvirt.org/
veillard redhat com  | libxml GNOME XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | Rpmfind RPM search engine  http://rpmfind.net/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]