From noreply at sourceforge.net Fri Dec 14 19:18:30 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Fri, 14 Dec 2012 10:18:30 -0800 Subject: [Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input. Message-ID: <3YNKkx1101zRJK@mail.python.org> Bugs item #3596044, was opened at 2012-12-14 10:18 Message generated for change (Tracker Item Submitted) made by shanmukhpatel You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: www.libexpat.org Group: Third-party Bug Status: Open Resolution: None Priority: 5 Private: No Submitted By: Shanmukh (shanmukhpatel) Assigned to: Fred L. Drake, Jr. (fdrake) Summary: Parser crash with *.xml.tar.gz file as input. Initial Comment: I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 From noreply at sourceforge.net Fri Dec 14 19:20:08 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Fri, 14 Dec 2012 10:20:08 -0800 Subject: [Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input. Message-ID: <3YNKmp4qPVzNjb@mail.python.org> Bugs item #3596044, was opened at 2012-12-14 10:18 Message generated for change (Settings changed) made by shanmukhpatel You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: www.libexpat.org Group: Third-party Bug Status: Open Resolution: None >Priority: 3 Private: No Submitted By: Shanmukh (shanmukhpatel) Assigned to: Fred L. Drake, Jr. (fdrake) Summary: Parser crash with *.xml.tar.gz file as input. Initial Comment: I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 From noreply at sourceforge.net Fri Dec 14 21:21:08 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Fri, 14 Dec 2012 12:21:08 -0800 Subject: [Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input. Message-ID: <3YNNSR5YtyzMx4@mail.python.org> Bugs item #3596044, was opened at 2012-12-14 10:18 Message generated for change (Comment added) made by shanmukhpatel You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: www.libexpat.org Group: Third-party Bug Status: Open Resolution: None Priority: 3 Private: No Submitted By: Shanmukh (shanmukhpatel) Assigned to: Fred L. Drake, Jr. (fdrake) Summary: Parser crash with *.xml.tar.gz file as input. Initial Comment: I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127). ---------------------------------------------------------------------- >Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 12:21 Message: The issue is in updatePosition() part of call stack : #0 normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "", end=0x2580b2d00 "", pos=0x2580b3f60) #1 0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50) after continue with the above context, the parser crashed. 0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000
, end=0x2580b2d00 "", pos=0x2580b3f60) notice the ptr address is out of bounds. Issue is that ptr is assigned with a far address from "end" pointer address. Say my string length is 3 ("abc") and the ptr address is 1234 and the end address is 9999. In this case, the loop has to iterate for 3 times as my string length is 3, but based on the condition (ptr < end), the loop may iterate (9999-1234) number of times and crashes in between. void PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end, POSITION *pos) { while (ptr < end ) { ... } temporary fix made to fix this issue is by relying on string length. int str_len = strlen(ptr); while (ptr < end && str_len--) { ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 From noreply at sourceforge.net Fri Dec 14 22:48:00 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Fri, 14 Dec 2012 13:48:00 -0800 Subject: [Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input. Message-ID: <3YNQNh6c6zzMrV@mail.python.org> Bugs item #3596044, was opened at 2012-12-14 10:18 Message generated for change (Comment added) made by shanmukhpatel You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: www.libexpat.org Group: Third-party Bug Status: Open Resolution: None >Priority: 5 Private: No Submitted By: Shanmukh (shanmukhpatel) Assigned to: Fred L. Drake, Jr. (fdrake) Summary: Parser crash with *.xml.tar.gz file as input. Initial Comment: I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127). ---------------------------------------------------------------------- >Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 13:48 Message: This issue looks similar to https://sourceforge.net/tracker/?func=detail&aid=2855609&group_id=10127&atid=110127 ---------------------------------------------------------------------- Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 12:21 Message: The issue is in updatePosition() part of call stack : #0 normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "", end=0x2580b2d00 "", pos=0x2580b3f60) #1 0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50) after continue with the above context, the parser crashed. 0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000
, end=0x2580b2d00 "", pos=0x2580b3f60) notice the ptr address is out of bounds. Issue is that ptr is assigned with a far address from "end" pointer address. Say my string length is 3 ("abc") and the ptr address is 1234 and the end address is 9999. In this case, the loop has to iterate for 3 times as my string length is 3, but based on the condition (ptr < end), the loop may iterate (9999-1234) number of times and crashes in between. void PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end, POSITION *pos) { while (ptr < end ) { ... } temporary fix made to fix this issue is by relying on string length. int str_len = strlen(ptr); while (ptr < end && str_len--) { ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 From noreply at sourceforge.net Sat Dec 15 02:36:45 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Fri, 14 Dec 2012 17:36:45 -0800 Subject: [Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input. Message-ID: <3YNWSb34dfzNK6@mail.python.org> Bugs item #3596044, was opened at 2012-12-14 10:18 Message generated for change (Comment added) made by kwaclaw You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: www.libexpat.org >Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Shanmukh (shanmukhpatel) >Assigned to: Karl Waclawek (kwaclaw) Summary: Parser crash with *.xml.tar.gz file as input. Initial Comment: I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127). ---------------------------------------------------------------------- >Comment By: Karl Waclawek (kwaclaw) Date: 2012-12-14 17:36 Message: I cannot reproduce the issue with your file. What version of Expat are you using? Could you please try the latest source in CVS and let me know if you still have the issue. ---------------------------------------------------------------------- Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 13:48 Message: This issue looks similar to https://sourceforge.net/tracker/?func=detail&aid=2855609&group_id=10127&atid=110127 ---------------------------------------------------------------------- Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 12:21 Message: The issue is in updatePosition() part of call stack : #0 normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "", end=0x2580b2d00 "", pos=0x2580b3f60) #1 0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50) after continue with the above context, the parser crashed. 0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000
, end=0x2580b2d00 "", pos=0x2580b3f60) notice the ptr address is out of bounds. Issue is that ptr is assigned with a far address from "end" pointer address. Say my string length is 3 ("abc") and the ptr address is 1234 and the end address is 9999. In this case, the loop has to iterate for 3 times as my string length is 3, but based on the condition (ptr < end), the loop may iterate (9999-1234) number of times and crashes in between. void PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end, POSITION *pos) { while (ptr < end ) { ... } temporary fix made to fix this issue is by relying on string length. int str_len = strlen(ptr); while (ptr < end && str_len--) { ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 From noreply at sourceforge.net Tue Dec 18 01:20:16 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Mon, 17 Dec 2012 16:20:16 -0800 Subject: [Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input. Message-ID: <3YQKcz22ytzNdm@mail.python.org> Bugs item #3596044, was opened at 2012-12-14 10:18 Message generated for change (Comment added) made by shanmukhpatel You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: www.libexpat.org Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Shanmukh (shanmukhpatel) Assigned to: Karl Waclawek (kwaclaw) Summary: Parser crash with *.xml.tar.gz file as input. Initial Comment: I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127). ---------------------------------------------------------------------- >Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-17 16:20 Message: I didn't realize that I was using the old version 2.0.1 has these issues. These issues have been fixed in latest source 2.1.0. Sorry about that ! ---------------------------------------------------------------------- Comment By: Karl Waclawek (kwaclaw) Date: 2012-12-14 17:36 Message: I cannot reproduce the issue with your file. What version of Expat are you using? Could you please try the latest source in CVS and let me know if you still have the issue. ---------------------------------------------------------------------- Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 13:48 Message: This issue looks similar to https://sourceforge.net/tracker/?func=detail&aid=2855609&group_id=10127&atid=110127 ---------------------------------------------------------------------- Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 12:21 Message: The issue is in updatePosition() part of call stack : #0 normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "", end=0x2580b2d00 "", pos=0x2580b3f60) #1 0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50) after continue with the above context, the parser crashed. 0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000
, end=0x2580b2d00 "", pos=0x2580b3f60) notice the ptr address is out of bounds. Issue is that ptr is assigned with a far address from "end" pointer address. Say my string length is 3 ("abc") and the ptr address is 1234 and the end address is 9999. In this case, the loop has to iterate for 3 times as my string length is 3, but based on the condition (ptr < end), the loop may iterate (9999-1234) number of times and crashes in between. void PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end, POSITION *pos) { while (ptr < end ) { ... } temporary fix made to fix this issue is by relying on string length. int str_len = strlen(ptr); while (ptr < end && str_len--) { ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 From noreply at sourceforge.net Tue Dec 18 01:22:06 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Mon, 17 Dec 2012 16:22:06 -0800 Subject: [Expat-bugs] [ expat-Bugs-3596044 ] Parser crash with *.xml.tar.gz file as input. Message-ID: <3YQKg53FZ4zNgd@mail.python.org> Bugs item #3596044, was opened at 2012-12-14 10:18 Message generated for change (Settings changed) made by shanmukhpatel You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: www.libexpat.org Group: None >Status: Closed >Resolution: Invalid Priority: 5 Private: No Submitted By: Shanmukh (shanmukhpatel) Assigned to: Karl Waclawek (kwaclaw) Summary: Parser crash with *.xml.tar.gz file as input. Initial Comment: I was using xml library to parse a file which is compressed. I was expecting an error message if the format is invalid, but the parser crashes if I provide the *.xml.tar.gz file. I have attached the file (the same file got it from https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127). ---------------------------------------------------------------------- Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-17 16:20 Message: I didn't realize that I was using the old version 2.0.1 has these issues. These issues have been fixed in latest source 2.1.0. Sorry about that ! ---------------------------------------------------------------------- Comment By: Karl Waclawek (kwaclaw) Date: 2012-12-14 17:36 Message: I cannot reproduce the issue with your file. What version of Expat are you using? Could you please try the latest source in CVS and let me know if you still have the issue. ---------------------------------------------------------------------- Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 13:48 Message: This issue looks similar to https://sourceforge.net/tracker/?func=detail&aid=2855609&group_id=10127&atid=110127 ---------------------------------------------------------------------- Comment By: Shanmukh (shanmukhpatel) Date: 2012-12-14 12:21 Message: The issue is in updatePosition() part of call stack : #0 normal_updatePosition (enc=0x171db220, ptr=0xd4fa6005 "", end=0x2580b2d00 "", pos=0x2580b3f60) #1 0x00000000171b32dd in XML_GetCurrentLineNumber (parser=0x2580b3b50) after continue with the above context, the parser crashed. 0x00000000171c5794 in normal_updatePosition (enc=0x171db220, ptr=0xd4fa7000
, end=0x2580b2d00 "", pos=0x2580b3f60) notice the ptr address is out of bounds. Issue is that ptr is assigned with a far address from "end" pointer address. Say my string length is 3 ("abc") and the ptr address is 1234 and the end address is 9999. In this case, the loop has to iterate for 3 times as my string length is 3, but based on the condition (ptr < end), the loop may iterate (9999-1234) number of times and crashes in between. void PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end, POSITION *pos) { while (ptr < end ) { ... } temporary fix made to fix this issue is by relying on string length. int str_len = strlen(ptr); while (ptr < end && str_len--) { ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3596044&group_id=10127