Details
Critical Description
Description:
============
When I create a DOM document using xerces APIs, for very specific input its creating wrong payload. This is observable on 64-bit but on 32-bit. For testing I have written sample with createDocument API which creates DOM document and print it in string format.
I ran the test on following inputs:
createDocument("types:statusSet","http://xyz.com");
createDocument function just create dom document and prints payloads. Following is the outputs of above string on 32-bit machine.
32 bit platforms output:
prefix = types:statusSet
LocalName = statusSet
doc = <types:statusSet xmlns:types:statusSet="http://xyz.com"/>
===================
Severity : Critical
===================
Platforms: ALL
==============
Cause and resolution
====================
I debugged xerces code, issue is in
File : "DOMDocumentImpl.hpp"
Function : "DOMDocumentImpl::getPooledNString(const XMLCh *in, XMLSize_t n)"
Patch:
======
— DOMDocumentImpl.hpp 2008-07-24 15:58:29.000000000 +0530
+++ /data/eclipse_workspace/CppIT-3.1.0/XercesTEst/src/xercesc/dom/impl/DOMDocumentImpl.hpp 2010-08-22 10:36:18.000000000 +0530
@@ -401,9 +401,11 @@
pspe = &fNameTable[inHash];
while (*pspe != 0)
Issue:
======
1. getPooledNString computes hash of prefix and searches in fNameTable.
2. Once hash is found, code cheks pooledString and 'n' characters of qualifiedString. !!!!! WRONG !!!!!
3. if comparision is true it returns the pooled string.
Ex:
In case of "types:statusSet", it will compare "types:statusSet" and first 6 characters of "types:", it found comparision true. It return pooled string "types:statusSet" as prefix !!!!! WRONG !!!!!
How to reporduce:
=================
Very easy to reproduce. Run the sample program I have attached.
Resolution:
===========
I have attached patch file with resolution.