[ expat-Bugs-214050 ] Segmentation fault in libxmltok

noreply@sourceforge.net noreply@sourceforge.net
Wed, 18 Apr 2001 13:35:04 -0700 

Bugs item #214050, was updated on 2000-09-11 07:41
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=110127&aid=214050&group_id=10127

Category: None
Group: None
>Status: Closed
>Resolution: Works For Me
Priority: 5
Submitted By: christian liesch (ia97lies)
Assigned to: Nobody/Anonymous (nobody)
Summary: Segmentation fault in libxmltok

Initial Comment:
If I parse the following file (with an error near !DOCTYPE):

<?xml version="1.0" standalone="no"?>

<!-- etwas kommentar -->

!DOCTYPE OReilly:Books SYSTEM "dummy.dtd" [
  <!ELEMENT OReilly:Books (OReilly:Product, OReilly:Price)>
  <!ELEMENT OReilly:Product ANY>
  <!ELEMENT OReilly:Price ANY>
]>

<OReilly:Books>
  <OReilly:Product>XML Pocket Ref</OReilly:Product>
  <OReilly:Price>8.95
</OReilly:Books>

I got the following with my gdb:

!DOCTYPE OReilly:Books SYSTEM "dummy.dtd" [
error:no element found 
Program received signal SIGSEGV, Segmentation fault.
0x400269c5 in normal_updatePosition () from /usr/lib/libxmltok.so.1
(gdb) where
#0  0x400269c5 in normal_updatePosition () from /usr/lib/libxmltok.so.1
#1  0x4001b0d9 in XML_GetCurrentColumnNumber () from /usr/lib/libxmlparse.so.1
#2  0x8049154 in test_parse ()
#3  0x80491f5 in main ()
#4  0x4004da5e in __libc_start_main () at ../sysdeps/generic/libc-start.c:93
(gdb) 


----------------------------------------------------------------------

>Comment By: Fred L. Drake, Jr. (fdrake)
Date: 2001-04-18 13:35

Message:
Logged In: YES 
user_id=3066

Closing this as it hasn't been reproduced with a recent version of Expat.

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2001-03-07 01:55

Message:
Logged In: NO 

I could reproduce this on the a May 29 1999 version of
expat.  The problem seems to be that *ptr in
PREFIX(updatePosition)() is a null byte, which chokes
somewhere inside the BYTE_TYPE macro.  I fixed this (I
think), by testing for *ptr in the while loop.  Here's the
patch:

*** xmltok_impl.c	1999/09/03 14:54:37	1.1.1.1
--- xmltok_impl.c	2001/03/07 09:49:46
***************
*** 1709,1715 ****
  			    const char *end,
  			    POSITION *pos)
  {
!   while (ptr != end) {
      switch (BYTE_TYPE(enc, ptr)) {
  #define LEAD_CASE(n) \
      case BT_LEAD ## n: \
--- 1709,1715 ----
  			    const char *end,
  			    POSITION *pos)
  {
!   while (*ptr && ptr != end) {
      switch (BYTE_TYPE(enc, ptr)) {
  #define LEAD_CASE(n) \
      case BT_LEAD ## n: \


----------------------------------------------------------------------

Comment By: Sam TH (samth)
Date: 2001-02-02 06:47

Message:
Could not reproduce this with CVS expat.  

----------------------------------------------------------------------

Comment By: Sam TH (samth)
Date: 2001-02-02 06:38

Message:
Could not reproduce this with CVS expat.  

----------------------------------------------------------------------

Comment By: Jacob Refstrup (jacob_refstrup)
Date: 2000-11-28 14:11

Message:
This appear to be fixed in 1.95.1

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=110127&aid=214050&group_id=10127