News
Analyzed
about 8 hours
ago.
based on code collected
about 8 hours
ago.
|
Posted
over 1 year
ago
by
William S Fulton
I suggest you realloc increasing the buffer size by the max of CURL_MAX_WRITE_SIZE and requested bytes. Should reduce the number of reallocs. A related fix is in https://issues.apache.org/jira/browse/XERCESC-2250 to show more informative libcurl Read more
|
|
Posted
over 1 year
ago
by
Mark
The following error happens when trying to build on Windows, using LLVM 17.0.6:
[287/299] Building RC object src\CMakeFiles\xerces-c.dir\Release\xercesc\util\version.rc.res
FAILED:
Read more
|
|
Posted
over 1 year
ago
by
William S Fulton
I've raised a Github pull request covering: Improved NetAccessor internal error message
Improved unhandled Curl error messages
Updates to NLS Xlat code generator
Details in the pull request: https://github.com/apache/xerces-c/pull/58 Related Read more
|
|
Posted
over 1 year
ago
by
Scott Cantor
Curl NetAccessor mishandles larger data with NetAcc_InternalError
|
|
Posted
over 1 year
ago
by
Scott Cantor
Ok, I think that all fits my understanding. Because it was reported as an overflow, I assumed having not analyzed it that you meant a real C-style issue was extant, but I think it's "safe", just broken, and it's just that the simple change to avoid Read more
|
|
Posted
over 1 year
ago
by
William S Fulton
Agreed it is not a security concern as it is not undefined behaviour. The code as it is is just non-functional in many scenarios, but I am surprised it has not been reported before as the Curl NetAccessor takes priority (if configured) as the default Read more
|
|
Posted
over 1 year
ago
by
William S Fulton
The doc/program-dom.xml file I gave as an example is in the xerces repo and is 110027 bytes. Regarding 'buffer overflow', the internal buffer CurlURLInputStream::fBuffer is a fixed size and would overflow if written to. Instead the Xerces code Read more
|
|
Posted
over 1 year
ago
by
Scott Cantor
I wouldn't have any reason to doubt your analysis. I don't use that NetAccessor so I have no ability to spend time on it with the funding I have. I suspect this is a security issue if it's a buffer overflow, but that doesn't change anything. Barring Read more
|
|
Posted
over 1 year
ago
by
William S Fulton
The Curl NetAccessor has a buffer overflow bug It can be easily replicated if the curl NetAccessor is turned on during configure: ./configure --with-icu --with-curl and then invoking the NetAccessorTest executable using one of the large files, I Read more
|
|
Posted
over 1 year
ago
by
Mike Beckerle
v3.2.4 requires escaping of hyphens in XSD pattern facet character classes where no escape should be needed. For example, technically, none of the hyphens in this need to be escaped "[A-Z;%.-]". The first hyphen defines a character range, the second Read more
|