After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 766828 - xmlParseStartTag2() contains typo when checking for default definitions for an attribute in a namespace
xmlParseStartTag2() contains typo when checking for default definitions for a...
Status: RESOLVED OBSOLETE
Product: libxml2
Classification: Platform
Component: general
git master
Other All
: Normal normal
: ---
Assigned To: Daniel Veillard
libxml QA maintainers
Depends on:
Blocks:
 
 
Reported: 2016-05-24 03:38 UTC by David Kilzer
Modified: 2021-07-05 13:23 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description David Kilzer 2016-05-24 03:38:39 UTC 
While reviewing the undefined behavior issues reported in Bug 752902, I tried changing the declaration of struct _xmlDefAttrs from this:

typedef struct _xmlDefAttrs xmlDefAttrs;
typedef xmlDefAttrs *xmlDefAttrsPtr;
struct _xmlDefAttrs {
    int nbAttrs;	/* number of defaulted attributes on that element */
    int maxAttrs;       /* the size of the array */
    const xmlChar *values[5]; /* array of localname/prefix/values/external */
};

to this:

typedef struct _xmlDefAttrs xmlDefAttrs;
typedef xmlDefAttrs *xmlDefAttrsPtr;
struct _xmlDefAttrs {
    int nbAttrs;	/* number of defaulted attributes on that element */
    int maxAttrs;       /* the size of the array */
    const xmlChar *values[][5]; /* array of localname/prefix/values/external */
};

Then fixed the resulting compiler errors.

The resulted in finding the following bug in xmlParseStartTag2():

		    nsname = xmlGetNamespace(ctxt, attname);
		    if (nsname != defaults->values[2]) {  // Bad offset!
			if (nsPush(ctxt, attname,
			           defaults->values[5 * i + 2]) > 0)
			    nbNs++;
		    }

With the structure change, that should be:

		    nsname = xmlGetNamespace(ctxt, attname);
		    if (nsname != defaults->values[i][2]) {  // Fixed!
			if (nsPush(ctxt, attname,
			           defaults->values[i][2]) > 0)
			    nbNs++;
		    }

If we don't make the structure change, it should be:

		    nsname = xmlGetNamespace(ctxt, attname);
		    if (nsname != defaults->values[5 * i + 2]) {  // Fixed!
			if (nsPush(ctxt, attname,
			           defaults->values[5 * i + 2]) > 0)
			    nbNs++;
		    }
Comment 1 David Kilzer 2016-05-24 03:51:12 UTC 
Note that this regression occurred back in September 2003 with commit e57ec790de9de71a3b646a853447a842f4fc3c9b:

<https://git.gnome.org/browse/libxml2/commit/?id=e57ec790de9de71a3b646a853447a842f4fc3c9b>
Comment 2 David Kilzer 2017-06-01 15:37:05 UTC 
Nick fixed Undefined Behavior Sanitizer (UBSan) warnings in this code here:

https://git.gnome.org/browse/libxml2/commit/?id=474967241cdcce6d3a2fd356079571eee794ec12

However, the bug described here still exists.
Comment 3 GNOME Infrastructure Team 2021-07-05 13:23:29 UTC 
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org.
As part of that, we are mass-closing older open tickets in bugzilla.gnome.org
which have not seen updates for a longer time (resources are unfortunately
quite limited so not every ticket can get handled).

If you can still reproduce the situation described in this ticket in a recent
and supported software version, then please follow
  https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines
and create a new ticket at
  https://gitlab.gnome.org/GNOME/libxml2/-/issues/

Thank you for your understanding and your help.