Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
2.3.0
-
None
-
None
-
Red Hat Enterprise Linux AS release 3 (Taroon Update 4)
Linux paias1011 2.4.21-32.0.1.EL.msdwhugemem #1 SMP Mon Dec 5 21:32:44 EST 2005 i686 i686 i386 GNU/Linux
gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-42)
Description
We are experiencing crashes using xerces with a custom memory allocator, and the root cause of the crashes appears to be some invalid memory writes during parsing. Purify reports the errors as follows:
ABW: Array bounds write
This is occurring while in thread 2374:
xercesc_2_3::SchemaElementDecl::updateValidityFromElement(xercesc_2_3::XMLElementDecl const*, xercesc_2_3::Grammar::GrammarType) [SchemaElementDecl.hpp:873]
xercesc_2_3::IGXMLScanner::scanEndTag(bool&) [IGXMLScanner.cpp:1075]
xercesc_2_3::IGXMLScanner::scanContent(bool) [IGXMLScanner.cpp:840]
xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource const&) [IGXMLScanner.cpp:209]
Writing 1 byte to 0x81da630 in the heap.
Address 0x81da630 is 41 bytes past end of a malloc'd block at 0x81da5d0 of 56 bytes.
This block was allocated from thread -185921408:
malloc [rtlib.o]
operator new(unsigned) [new_op.cc:48]
xercesc_2_3::MemoryManagerImpl::allocate(unsigned) [MemoryManagerImpl.cpp:75]
xercesc_2_3::XMemory::operator new(unsigned, xercesc_2_3::MemoryManager*) [XMemory.cpp:92]
xercesc_2_3::DTDScanner::scanElementDecl() [DTDScanner.cpp:1863]
xercesc_2_3::DTDScanner::scanMarkupDecl(bool) [DTDScanner.cpp:3287]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2667]
xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) [DTDScanner.cpp:514]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2719]
xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) [DTDScanner.cpp:514]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2719]
xercesc_2_3::IGXMLScanner::scanDocTypeDecl() [IGXMLScanner.cpp:1403]
xercesc_2_3::XMLScanner::scanProlog() [XMLScanner.cpp:1180]
xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource const&) [IGXMLScanner.cpp:198]
ABW: Array bounds write
This is occurring while in thread 2374:
xercesc_2_3::SchemaElementDecl::updateValidityFromElement(xercesc_2_3::XMLElementDecl const*, xercesc_2_3::Grammar::GrammarType) [SchemaElementDecl.hpp:880]
xercesc_2_3::IGXMLScanner::scanEndTag(bool&) [IGXMLScanner.cpp:1075]
xercesc_2_3::IGXMLScanner::scanContent(bool) [IGXMLScanner.cpp:840]
xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource const&) [IGXMLScanner.cpp:209]
Writing 1 byte to 0x81da632 in the heap.
Address 0x81da632 is 43 bytes past end of a malloc'd block at 0x81da5d0 of 56 bytes.
This block was allocated from thread -185921408:
malloc [rtlib.o]
operator new(unsigned) [new_op.cc:48]
xercesc_2_3::MemoryManagerImpl::allocate(unsigned) [MemoryManagerImpl.cpp:75]
xercesc_2_3::XMemory::operator new(unsigned, xercesc_2_3::MemoryManager*) [XMemory.cpp:92]
xercesc_2_3::DTDScanner::scanElementDecl() [DTDScanner.cpp:1863]
xercesc_2_3::DTDScanner::scanMarkupDecl(bool) [DTDScanner.cpp:3287]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2667]
xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) [DTDScanner.cpp:514]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2719]
xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) [DTDScanner.cpp:511]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2719]
xercesc_2_3::IGXMLScanner::scanDocTypeDecl() [IGXMLScanner.cpp:1403]
xercesc_2_3::XMLScanner::scanProlog() [XMLScanner.cpp:1180]
xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource const&) [IGXMLScanner.cpp:198]
ABW: Array bounds write
This is occurring while in thread 2374:
xercesc_2_3::SchemaElementDecl::setXsiComplexTypeInfo(xercesc_2_3::ComplexTypeInfo*) [SchemaElementDecl.hpp:811]
xercesc_2_3::IGXMLScanner::scanEndTag(bool&) [IGXMLScanner.cpp:1093]
xercesc_2_3::IGXMLScanner::scanContent(bool) [IGXMLScanner.cpp:840]
xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource const&) [IGXMLScanner.cpp:209]
Writing 4 bytes to 0x81da614 in the heap.
Address 0x81da614 is 13 bytes past end of a malloc'd block at 0x81da5d0 of 56 bytes.
This block was allocated from thread -185921408:
malloc [rtlib.o]
operator new(unsigned) [new_op.cc:48]
xercesc_2_3::MemoryManagerImpl::allocate(unsigned) [MemoryManagerImpl.cpp:75]
xercesc_2_3::XMemory::operator new(unsigned, xercesc_2_3::MemoryManager*) [XMemory.cpp:92]
xercesc_2_3::DTDScanner::scanElementDecl() [DTDScanner.cpp:1863]
xercesc_2_3::DTDScanner::scanMarkupDecl(bool) [DTDScanner.cpp:3287]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2667]
xercesc_2_3::DTDScanner::expandPERef(bool, bool, bool, bool) [DTDScanner.cpp:514]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2719]
__wcstold_internal [libc.so.6]
xercesc_2_3::DTDScanner::scanExtSubsetDecl(bool, bool) [DTDScanner.cpp:2719]
xercesc_2_3::IGXMLScanner::scanDocTypeDecl() [IGXMLScanner.cpp:1403]
xercesc_2_3::XMLScanner::scanProlog() [XMLScanner.cpp:1180]
xercesc_2_3::IGXMLScanner::scanDocument(xercesc_2_3::InputSource const&) [IGXMLScanner.cpp:198]
I have confirmed that the problem is not present in 2.7.0. Unfortunately for the applications experiencing this error it is not possible to upgrade to 2.7.0 in the short to medium term, so we would like to try to get a patch for this in 2.3.0. Are there any known issues that might cause errors in this area?
Our xerces installation is built from source, and the document is parsed using the SAX builder with validation enabled.
We have a reproducible test case, but the source XML does contain some proprietary information so I have not supplied it at this time. It may be possible to remove said information if necessary.
Graham