Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
in axis2_libxml2_writer_wrapper_get_xml function we have:
output = AXIS2_MALLOC(env->allocator,
sizeof(axis2_char_t) * (
strlen((const axis2_char_t*)(writer_impl->buffer->content)) + 1));
sprintf(output,
((const axis2_char_t*)(writer_impl->buffer->content)));
Where buffer is defined as:
xmlBufferPtr buffer;
Looking at the definition of xmlBuffer, it looks to me that there is a size field that we should look into. Hence, just taking strlen of buffer content is error prone. Also, content is of type 'unsigned char'. Hence casting that to 'axis2_char_t' may also lead to errors.