本文讨论了Xerces库在OpenBSD 5.1版本中遇到的编码问题,具体涉及到wcsrtombs和mbsrtowcs函数的行为不符合文档说明。通过修改配置脚本来检测并调整这些函数的使用方式,可以解决潜在的内存访问风险。包括了一个基于函数返回值的补丁代码示例。
//break main.cpp:63
//break main.cpp:155
//break WAPI.cpp:72
//break bOSXMLHelper.cpp:40
//break PlatformUtils.hpp:813
//break MemoryManagerImpl.cpp:37
//break WorkflowListener.cpp:67
//break XMLString.hpp:1451
//break Hashers.hpp:47
//break RangeToken.cpp:335
//break XMLRangeFactory.cpp:113
//break XMLInitializer.cpp:51
//break XMLInitializer.cpp:62 // 调试到此处,停止
//break XMLInitializer.cpp:61 // 所以,进入到initializeDatatypeValidatorFactory()单步跟踪,使用s,不要用n
break IconvTransService.cpp:432 //找到了故障点(在这一行的)。
break IconvTransService.cpp:460 //估计是内存分配问题,比如 溢出
===================================================================
http://c-dev.xerces.apache.narkive.com/DWSpAHdF/xerces-trunk-on-openbsd-5-1
===================================================================
Post by Alberto Massari
Hi Simon,
it looks that libc in OpenBSD 5.1 is not obeying to the documentation for
wcsrtombs/mbsrtowcs.
If *d**s**t* is not a null pointer, the pointer object pointed to
by *s**r**c* is assigned either a null pointer (if conversion
stopped due to reaching a terminating null wide-character)
or the address just past the last wide-character converted
(if any).
Instead of hacking the code to try to detect whether the conversion
actually wrote a NULL character in the converted string, I chose to modify
the 'configure' script to detect this behaviour and disable the usage of
the re-entrant functions if it doesn't match how the Xerces code uses them.
Thank you for reporting this issue,
Alberto
---------------------------------------
Hi,
I wanted to try using xerces on openbsd 5.1.
unknow reason.
After reading the code, it turns out that the end of conversion by
wcsrtombs and mbsrtowcs is based on a test on source pointer (source
pointer should point on null character).
The problem is that this behaviour is not implemented. Source pointer
points on the character following the last converted character leading
xerces binary to a risky memory access.
Below, there is a patch based on values returned by the functions (-1 in
case of error, >= 0 in case of complete/incomplete conversion) that fixes
the problem.
Regards,
Simon Elbaz
$ svn diff xercesc/util/Transcoders/Iconv/IconvTransService.cpp
Index: xercesc/util/Transcoders/Iconv/IconvTransService.cpp
===================================================================
--- xercesc/util/Transcoders/Iconv/IconvTransService.cpp (revision
1387785)
+++ xercesc/util/Transcoders/Iconv/IconvTransService.cpp (working
copy)
@@ -429,7 +429,7 @@
srcBuffer[gTempBuffArraySize - 1] = 0;
const wchar_t *src = 0;
- while (toTranscode[srcCursor] || src)
+ while (toTranscode[srcCursor])
{
if (src == 0) // copy a piece of the source string into a local
// buffer, converted to wchar_t and NULL-terminated.
@@ -454,7 +454,7 @@
break;
}
dstCursor += len;
- if (src != 0) // conversion not finished. This *always* means there
+ if (len == (resultSize - dstCursor)) // conversion not finished.
This *always* means there
// was not enough room in the destination buffer.
{
reallocString<char>(resultString, resultSize, manager,
resultString != localBuffer);
@@ -512,9 +512,9 @@
break;
}
dstCursor += len;
- if (src == 0) // conversion finished
+ if ((len >= 0) && (len < (resultSize - dstCursor))) // conversion
finished
break;
- if (dstCursor >= resultSize - 1)
+ if (len == (resultSize - dstCursor))
reallocString<wchar_t>(tmpString, resultSize, manager,
tmpString != localBuffer);
}
===================================================================
//break main.cpp:155
//break WAPI.cpp:72
//break bOSXMLHelper.cpp:40
//break PlatformUtils.hpp:813
//break MemoryManagerImpl.cpp:37
//break WorkflowListener.cpp:67
//break XMLString.hpp:1451
//break Hashers.hpp:47
//break RangeToken.cpp:335
//break XMLRangeFactory.cpp:113
//break XMLInitializer.cpp:51
//break XMLInitializer.cpp:62 // 调试到此处,停止
//break XMLInitializer.cpp:61 // 所以,进入到initializeDatatypeValidatorFactory()单步跟踪,使用s,不要用n
break IconvTransService.cpp:432 //找到了故障点(在这一行的)。
break IconvTransService.cpp:460 //估计是内存分配问题,比如 溢出
===================================================================
http://c-dev.xerces.apache.narkive.com/DWSpAHdF/xerces-trunk-on-openbsd-5-1
===================================================================
Post by Alberto Massari
Hi Simon,
it looks that libc in OpenBSD 5.1 is not obeying to the documentation for
wcsrtombs/mbsrtowcs.
If *d**s**t* is not a null pointer, the pointer object pointed to
by *s**r**c* is assigned either a null pointer (if conversion
stopped due to reaching a terminating null wide-character)
or the address just past the last wide-character converted
(if any).
Instead of hacking the code to try to detect whether the conversion
actually wrote a NULL character in the converted string, I chose to modify
the 'configure' script to detect this behaviour and disable the usage of
the re-entrant functions if it doesn't match how the Xerces code uses them.
Thank you for reporting this issue,
Alberto
---------------------------------------
Hi,
I wanted to try using xerces on openbsd 5.1.
unknow reason.
After reading the code, it turns out that the end of conversion by
wcsrtombs and mbsrtowcs is based on a test on source pointer (source
pointer should point on null character).
The problem is that this behaviour is not implemented. Source pointer
points on the character following the last converted character leading
xerces binary to a risky memory access.
Below, there is a patch based on values returned by the functions (-1 in
case of error, >= 0 in case of complete/incomplete conversion) that fixes
the problem.
Regards,
Simon Elbaz
$ svn diff xercesc/util/Transcoders/Iconv/IconvTransService.cpp
Index: xercesc/util/Transcoders/Iconv/IconvTransService.cpp
===================================================================
--- xercesc/util/Transcoders/Iconv/IconvTransService.cpp (revision
1387785)
+++ xercesc/util/Transcoders/Iconv/IconvTransService.cpp (working
copy)
@@ -429,7 +429,7 @@
srcBuffer[gTempBuffArraySize - 1] = 0;
const wchar_t *src = 0;
- while (toTranscode[srcCursor] || src)
+ while (toTranscode[srcCursor])
{
if (src == 0) // copy a piece of the source string into a local
// buffer, converted to wchar_t and NULL-terminated.
@@ -454,7 +454,7 @@
break;
}
dstCursor += len;
- if (src != 0) // conversion not finished. This *always* means there
+ if (len == (resultSize - dstCursor)) // conversion not finished.
This *always* means there
// was not enough room in the destination buffer.
{
reallocString<char>(resultString, resultSize, manager,
resultString != localBuffer);
@@ -512,9 +512,9 @@
break;
}
dstCursor += len;
- if (src == 0) // conversion finished
+ if ((len >= 0) && (len < (resultSize - dstCursor))) // conversion
finished
break;
- if (dstCursor >= resultSize - 1)
+ if (len == (resultSize - dstCursor))
reallocString<wchar_t>(tmpString, resultSize, manager,
tmpString != localBuffer);
}
===================================================================
<script>window._bd_share_config={"common":{"bdsnskey":{},"bdtext":"","bdmini":"2","bdminilist":false,"bdpic":"","bdstyle":"0","bdsize":"16"},"share":{}};with(document)0[(getelementsbytagname('head')[0]||body).appendchild(createelement('script')).src='http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new date()/36e5)];</script>
阅读(34) | 评论(0) | 转发(0) |
相关热门文章
给主人留下些什么吧!~~
评论热议
扫一扫
9
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
