Bug 353700 – off-by-one error in xmlSchemaGetCanonValue()

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 353700 - off-by-one error in xmlSchemaGetCanonValue()


Summary:	off-by-one error in xmlSchemaGetCanonValue()


Status:	RESOLVED FIXED

Product:	libxml2
Classification:	Platform
Component:	general
Version:	git master
Hardware:	Other Linux

Importance:	Normal minor
Target Milestone:	---
Assigned To:	Daniel Veillard
QA Contact:	libxml QA maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2006-08-31 15:56 UTC by Tavis Ormandy
Modified:	2006-10-11 11:55 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Tavis Ormandy 2006-08-31 15:56:26 UTC

This case from xmlSchemaGetCanonValue() mismatches snprintf length restriction and buffer size.

	case XML_SCHEMAS_GMONTH: {
		/* TODO: Unclear in XML Schema 1.0 */
		/* TODO: What to do with the timezone? */
		*retValue = xmlMalloc(5);
		snprintf((char *) *retValue, 6, "--%02u",
		    val->value.date.mon);
	    }
	    break;

Comment 1 Daniel Veillard 2006-10-11 11:55:24 UTC

Okay fixed, more worrying was the fact that the return value for many
xmlMalloc calls were not tested, fixed too.

  thanks for raising the problem !

Daniel