[xml] xmlParseChunk crashes when used with xmlStopParser for double dash in comment tag.

From: JEGA <jegan s gmail com>
To: xml gnome org
Subject: [xml] xmlParseChunk crashes when used with xmlStopParser for double dash in comment tag.
Date: Thu, 17 Dec 2009 15:01:51 +0530

Hi

I am trying to parse an invalid xml(xml has double dash inside comments tag).Parser calls the error handler with proper error message.In the error handling part,I am calling xmlStopParser API. Immediately crash happens when the control returns to libxml2 code.I have debugged the libxml2 code to findÂ that it tries to copyÂthe remaining input to a buffer which leads toÂa crash. If I am not calling the xmlStopParser API it is working fine.

xmlStopParserÂ call sets 'ctxt->input->cur' pointer to empty string.(ctxt->input->cur = BAD_CAST"";).But this pointer is being usedÂin memcpy which causes the problem.

The following is the exact line at which the crash happens.

memcpy(&buf[len], ctxt->input->cur, nbchar); where

nbchar = in - ctxt->input->cur;

Note: In both opreration "ctxt->input->cur" is being used which is reset by xmlStopParserÂ

Input:

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
Â <SOAP:Body>
ÂÂÂÂÂ <List xmlns="http://schemas.xyz.com"></List>
ÂÂÂÂÂÂÂ </SOAP:Body>
Â</SOAP:Envelope>z

Can this be logged as bug?

Thanks,
Jeganathan.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]