From noreply at sourceforge.net Mon Jul 9 09:12:24 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Mon, 09 Jul 2012 00:12:24 -0700 Subject: [Expat-bugs] [ expat-Bugs-3541525 ] Infinite loop in lib/xmlparse.c:XML_GetBuffer Message-ID: <3WVyRH2Q93zNRY@mail.python.org> Bugs item #3541525, was opened at 2012-07-09 00:12 Message generated for change (Tracker Item Submitted) made by You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: http://kasten76.myopenid.com/ () Assigned to: Nobody/Anonymous (nobody) Summary: Infinite loop in lib/xmlparse.c:XML_GetBuffer Initial Comment: Hi, first thanks for maintaining expat. I found this bug in version 2.0.1 but the code is the same in the current developement version. When XML_GetBuffer is called and bufferSize is 0 it will be initialised to INIT_BUFFER_SIZE (1024). Which is doubled until it is bigger than needeSize (line 1718). For my example neededSize was (gdb) p neededSize $2 = 2128558980 The doubling is optimized to a shift opertaion (gcc 4.7.0). The doubling shifts the true bit in bufferSize out of scope without breaking the loop. (gdb) p 1024 << 20 $10 = 1073741824 (gdb) p 1024 << 21 $11 = -2147483648 (gdb) p 1024 << 22 $12 = 0 And then goes into an endless loop. Still searching why the buffer is so huge but i wanted to mention this bug anyway. Regards. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127 From noreply at sourceforge.net Tue Jul 24 07:57:44 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Mon, 23 Jul 2012 22:57:44 -0700 Subject: [Expat-bugs] [ expat-Bugs-3524730 ] potential null pointer dereference Message-ID: <3Wh84C30z4zPQH@mail.python.org> Bugs item #3524730, was opened at 2012-05-08 06:56 Message generated for change (Comment added) made by sahegde1 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3524730&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: Test Required Status: Open Resolution: None Priority: 5 Private: No Submitted By: tomaszmi (tomaszmi) Assigned to: Nobody/Anonymous (nobody) Summary: potential null pointer dereference Initial Comment: Expat version 2.1.0 There may be a potential null pointer dereference in the xmlparse.c file, line 2914. The lookup function may return NULL and this case is not checked before the line #2914. I'm not familiar with expat details, however in general if such case is not possible, it would be good to make sure the program will be terminated/aborted, for instance using assert: assert(id); ---------------------------------------------------------------------- Comment By: Sandeep L Hegde (sahegde1) Date: 2012-07-23 22:57 Message: I would like to work on this bug. Please assign it to me. ---------------------------------------------------------------------- Comment By: tomaszmi (tomaszmi) Date: 2012-05-08 07:51 Message: The similar issue is in the xmlparse.c, line #5478. The id->prefix may be set to null however in the next line the pointer is dereferenced without any check. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3524730&group_id=10127 From noreply at sourceforge.net Tue Jul 24 07:59:36 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Mon, 23 Jul 2012 22:59:36 -0700 Subject: [Expat-bugs] [ expat-Bugs-3541525 ] Infinite loop in lib/xmlparse.c:XML_GetBuffer Message-ID: <3Wh86L1c1hzPVH@mail.python.org> Bugs item #3541525, was opened at 2012-07-09 00:12 Message generated for change (Comment added) made by polinenibharat You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: http://kasten76.myopenid.com/ () Assigned to: Nobody/Anonymous (nobody) Summary: Infinite loop in lib/xmlparse.c:XML_GetBuffer Initial Comment: Hi, first thanks for maintaining expat. I found this bug in version 2.0.1 but the code is the same in the current developement version. When XML_GetBuffer is called and bufferSize is 0 it will be initialised to INIT_BUFFER_SIZE (1024). Which is doubled until it is bigger than needeSize (line 1718). For my example neededSize was (gdb) p neededSize $2 = 2128558980 The doubling is optimized to a shift opertaion (gcc 4.7.0). The doubling shifts the true bit in bufferSize out of scope without breaking the loop. (gdb) p 1024 << 20 $10 = 1073741824 (gdb) p 1024 << 21 $11 = -2147483648 (gdb) p 1024 << 22 $12 = 0 And then goes into an endless loop. Still searching why the buffer is so huge but i wanted to mention this bug anyway. Regards. ---------------------------------------------------------------------- Comment By: Bharat (polinenibharat) Date: 2012-07-23 22:59 Message: Hi this looks great. I started working on it. Please assign it to me. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127 From noreply at sourceforge.net Tue Jul 24 09:34:54 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Tue, 24 Jul 2012 00:34:54 -0700 Subject: [Expat-bugs] [ expat-Bugs-3524730 ] potential null pointer dereference Message-ID: <3WhBDJ2WzfzNF7@mail.python.org> Bugs item #3524730, was opened at 2012-05-08 06:56 Message generated for change (Comment added) made by tomaszmi You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3524730&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: Test Required Status: Open Resolution: None Priority: 5 Private: No Submitted By: tomaszmi (tomaszmi) Assigned to: Nobody/Anonymous (nobody) Summary: potential null pointer dereference Initial Comment: Expat version 2.1.0 There may be a potential null pointer dereference in the xmlparse.c file, line 2914. The lookup function may return NULL and this case is not checked before the line #2914. I'm not familiar with expat details, however in general if such case is not possible, it would be good to make sure the program will be terminated/aborted, for instance using assert: assert(id); ---------------------------------------------------------------------- >Comment By: tomaszmi (tomaszmi) Date: 2012-07-24 00:34 Message: sahegde1, you are not on the list of people available to be assigned to it. ---------------------------------------------------------------------- Comment By: Sandeep L Hegde (sahegde1) Date: 2012-07-23 22:57 Message: I would like to work on this bug. Please assign it to me. ---------------------------------------------------------------------- Comment By: tomaszmi (tomaszmi) Date: 2012-05-08 07:51 Message: The similar issue is in the xmlparse.c, line #5478. The id->prefix may be set to null however in the next line the pointer is dereferenced without any check. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3524730&group_id=10127 From noreply at sourceforge.net Tue Jul 24 16:05:18 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Tue, 24 Jul 2012 07:05:18 -0700 Subject: [Expat-bugs] [ expat-Bugs-3524730 ] potential null pointer dereference Message-ID: <3WhLtr0vyDzPY5@mail.python.org> Bugs item #3524730, was opened at 2012-05-08 06:56 Message generated for change (Comment added) made by sahegde1 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3524730&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: Test Required Status: Open Resolution: None Priority: 5 Private: No Submitted By: tomaszmi (tomaszmi) Assigned to: Nobody/Anonymous (nobody) Summary: potential null pointer dereference Initial Comment: Expat version 2.1.0 There may be a potential null pointer dereference in the xmlparse.c file, line 2914. The lookup function may return NULL and this case is not checked before the line #2914. I'm not familiar with expat details, however in general if such case is not possible, it would be good to make sure the program will be terminated/aborted, for instance using assert: assert(id); ---------------------------------------------------------------------- Comment By: Sandeep L Hegde (sahegde1) Date: 2012-07-24 07:05 Message: Sorry, i am a newbie to open source. How do i add myself to the list. ---------------------------------------------------------------------- Comment By: tomaszmi (tomaszmi) Date: 2012-07-24 00:34 Message: sahegde1, you are not on the list of people available to be assigned to it. ---------------------------------------------------------------------- Comment By: Sandeep L Hegde (sahegde1) Date: 2012-07-23 22:57 Message: I would like to work on this bug. Please assign it to me. ---------------------------------------------------------------------- Comment By: tomaszmi (tomaszmi) Date: 2012-05-08 07:51 Message: The similar issue is in the xmlparse.c, line #5478. The id->prefix may be set to null however in the next line the pointer is dereferenced without any check. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3524730&group_id=10127 From noreply at sourceforge.net Tue Jul 24 17:56:56 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Tue, 24 Jul 2012 08:56:56 -0700 Subject: [Expat-bugs] [ expat-Bugs-3524730 ] potential null pointer dereference Message-ID: <3WhPMb0PP3zPWZ@mail.python.org> Bugs item #3524730, was opened at 2012-05-08 06:56 Message generated for change (Comment added) made by kwaclaw You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3524730&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: Test Required Status: Open Resolution: None Priority: 5 Private: No Submitted By: tomaszmi (tomaszmi) Assigned to: Nobody/Anonymous (nobody) Summary: potential null pointer dereference Initial Comment: Expat version 2.1.0 There may be a potential null pointer dereference in the xmlparse.c file, line 2914. The lookup function may return NULL and this case is not checked before the line #2914. I'm not familiar with expat details, however in general if such case is not possible, it would be good to make sure the program will be terminated/aborted, for instance using assert: assert(id); ---------------------------------------------------------------------- >Comment By: Karl Waclawek (kwaclaw) Date: 2012-07-24 08:56 Message: The best approach is to submit a patch in the Patch tracker. We will then review it and merge it into the source code. ---------------------------------------------------------------------- Comment By: Sandeep L Hegde (sahegde1) Date: 2012-07-24 07:05 Message: Sorry, i am a newbie to open source. How do i add myself to the list. ---------------------------------------------------------------------- Comment By: tomaszmi (tomaszmi) Date: 2012-07-24 00:34 Message: sahegde1, you are not on the list of people available to be assigned to it. ---------------------------------------------------------------------- Comment By: Sandeep L Hegde (sahegde1) Date: 2012-07-23 22:57 Message: I would like to work on this bug. Please assign it to me. ---------------------------------------------------------------------- Comment By: tomaszmi (tomaszmi) Date: 2012-05-08 07:51 Message: The similar issue is in the xmlparse.c, line #5478. The id->prefix may be set to null however in the next line the pointer is dereferenced without any check. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3524730&group_id=10127 From noreply at sourceforge.net Tue Jul 24 17:59:30 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Tue, 24 Jul 2012 08:59:30 -0700 Subject: [Expat-bugs] [ expat-Bugs-3541525 ] Infinite loop in lib/xmlparse.c:XML_GetBuffer Message-ID: <3WhPQc34XVzPWn@mail.python.org> Bugs item #3541525, was opened at 2012-07-09 00:12 Message generated for change (Comment added) made by kwaclaw You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: http://kasten76.myopenid.com/ () Assigned to: Nobody/Anonymous (nobody) Summary: Infinite loop in lib/xmlparse.c:XML_GetBuffer Initial Comment: Hi, first thanks for maintaining expat. I found this bug in version 2.0.1 but the code is the same in the current developement version. When XML_GetBuffer is called and bufferSize is 0 it will be initialised to INIT_BUFFER_SIZE (1024). Which is doubled until it is bigger than needeSize (line 1718). For my example neededSize was (gdb) p neededSize $2 = 2128558980 The doubling is optimized to a shift opertaion (gcc 4.7.0). The doubling shifts the true bit in bufferSize out of scope without breaking the loop. (gdb) p 1024 << 20 $10 = 1073741824 (gdb) p 1024 << 21 $11 = -2147483648 (gdb) p 1024 << 22 $12 = 0 And then goes into an endless loop. Still searching why the buffer is so huge but i wanted to mention this bug anyway. Regards. ---------------------------------------------------------------------- >Comment By: Karl Waclawek (kwaclaw) Date: 2012-07-24 08:59 Message: We are grateful for patches to Expat bugs. Patches should be submitted to the Patch tracker. Thank you. ---------------------------------------------------------------------- Comment By: Bharat (polinenibharat) Date: 2012-07-23 22:59 Message: Hi this looks great. I started working on it. Please assign it to me. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127 From noreply at sourceforge.net Thu Jul 26 06:46:57 2012 From: noreply at sourceforge.net (SourceForge.net) Date: Wed, 25 Jul 2012 21:46:57 -0700 Subject: [Expat-bugs] [ expat-Bugs-3541525 ] Infinite loop in lib/xmlparse.c:XML_GetBuffer Message-ID: <3WjLPc1GmCzMLp@mail.python.org> Bugs item #3541525, was opened at 2012-07-09 00:12 Message generated for change (Comment added) made by polinenibharat You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: http://kasten76.myopenid.com/ () Assigned to: Nobody/Anonymous (nobody) Summary: Infinite loop in lib/xmlparse.c:XML_GetBuffer Initial Comment: Hi, first thanks for maintaining expat. I found this bug in version 2.0.1 but the code is the same in the current developement version. When XML_GetBuffer is called and bufferSize is 0 it will be initialised to INIT_BUFFER_SIZE (1024). Which is doubled until it is bigger than needeSize (line 1718). For my example neededSize was (gdb) p neededSize $2 = 2128558980 The doubling is optimized to a shift opertaion (gcc 4.7.0). The doubling shifts the true bit in bufferSize out of scope without breaking the loop. (gdb) p 1024 << 20 $10 = 1073741824 (gdb) p 1024 << 21 $11 = -2147483648 (gdb) p 1024 << 22 $12 = 0 And then goes into an endless loop. Still searching why the buffer is so huge but i wanted to mention this bug anyway. Regards. ---------------------------------------------------------------------- Comment By: Bharat (polinenibharat) Date: 2012-07-25 21:46 Message: Hi Karl, There is a small logical overlooking of extreme cases in lines 1718 - 1722, in lib / xmlparse.c : XML_GetBuffer ****** if (bufferSize == 0) bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; } while (bufferSize < neededSize); ****** Here the do - while is going into an infinite loop because of the Shift operation << 1 that the compiler is performing at the line 1721 -> bufferSize *= 2; Here if bufferSize is 0, this loop is infinite. Since they are all integers, if the neededSize is anything between [2^30+1, 2^31-1] the bufferSize will eventually shift to become 0 and goes infinite. To overcome this an easy and simple solution without changing much code could be to add the line, bufferSize += 1; ( after line number 1721 ). This will ensure that the condition (bufferSize < neededSize) will be evaluated to false for any value of neededSize, because at some stage bufferSize will be equal to 2^31-1, the highest possible integer value before overflow. Since the allotted buffer size can be dynamic based on our neededSize, it should not change the structure significantly. final code: ************ if (bufferSize == 0) bufferSize = INIT_BUFFER_SIZE; do { bufferSize *= 2; bufferSize += 1; } while (bufferSize < neededSize); *********** I am new to open source and am sorry I did not know how to submit the patch at the patch tracker. Hoping it helped. If its ok I'd like to look at as many open bugs. I really got to liking expat more after looking through the code :) ---------------------------------------------------------------------- Comment By: Karl Waclawek (kwaclaw) Date: 2012-07-24 08:59 Message: We are grateful for patches to Expat bugs. Patches should be submitted to the Patch tracker. Thank you. ---------------------------------------------------------------------- Comment By: Bharat (polinenibharat) Date: 2012-07-23 22:59 Message: Hi this looks great. I started working on it. Please assign it to me. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127