SourceForge.net
2012-07-09 07:12:24 UTC
Bugs item #3541525, was opened at 2012-07-09 00:12
Message generated for change (Tracker Item Submitted) made by
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: http://kasten76.myopenid.com/ ()
Assigned to: Nobody/Anonymous (nobody)
Summary: Infinite loop in lib/xmlparse.c:XML_GetBuffer
Initial Comment:
Hi,
first thanks for maintaining expat.
I found this bug in version 2.0.1 but the code is the same in the current developement version.
When XML_GetBuffer is called and bufferSize is 0 it will be initialised to INIT_BUFFER_SIZE (1024). Which is doubled until it is bigger than needeSize (line 1718). For my example neededSize was
(gdb) p neededSize
$2 = 2128558980
The doubling is optimized to a shift opertaion (gcc 4.7.0). The doubling shifts the true bit in bufferSize out of scope without breaking the loop.
(gdb) p 1024 << 20
$10 = 1073741824
(gdb) p 1024 << 21
$11 = -2147483648
(gdb) p 1024 << 22
$12 = 0
And then goes into an endless loop.
Still searching why the buffer is so huge but i wanted to mention this bug anyway.
Regards.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127
Message generated for change (Tracker Item Submitted) made by
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: http://kasten76.myopenid.com/ ()
Assigned to: Nobody/Anonymous (nobody)
Summary: Infinite loop in lib/xmlparse.c:XML_GetBuffer
Initial Comment:
Hi,
first thanks for maintaining expat.
I found this bug in version 2.0.1 but the code is the same in the current developement version.
When XML_GetBuffer is called and bufferSize is 0 it will be initialised to INIT_BUFFER_SIZE (1024). Which is doubled until it is bigger than needeSize (line 1718). For my example neededSize was
(gdb) p neededSize
$2 = 2128558980
The doubling is optimized to a shift opertaion (gcc 4.7.0). The doubling shifts the true bit in bufferSize out of scope without breaking the loop.
(gdb) p 1024 << 20
$10 = 1073741824
(gdb) p 1024 << 21
$11 = -2147483648
(gdb) p 1024 << 22
$12 = 0
And then goes into an endless loop.
Still searching why the buffer is so huge but i wanted to mention this bug anyway.
Regards.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=110127&aid=3541525&group_id=10127