Discussion:
[jira] [Created] (XALANC-762) Stack is corrupted in
Sergey Kurenkov (JIRA)
2015-04-03 12:23:53 UTC
Permalink
Sergey Kurenkov created XALANC-762:
--------------------------------------

Summary: Stack is corrupted in DOMStringHelper::NumberToCharacters() if value is really big
Key: XALANC-762
URL: https://issues.apache.org/jira/browse/XALANC-762
Project: XalanC
Issue Type: Bug
Components: XalanC
Affects Versions: 1.11
Reporter: Sergey Kurenkov
Assignee: Steven J. Hathaway
Priority: Minor


in functions
void
DOMStringHelper::NumberToCharacters(
double theValue,
FormatterListener& formatterListener,
MemberFunctionPtr function)

and

NumberToDOMString(
double theValue,
XalanDOMString& theResult)

an array is created on stack in order to convert theValue:
char theBuffer[MAX_PRINTF_DIGITS + 1];

If theValue is quite big for example 1.79769e+308 which is the biggest possible double value than theBuffer is overritten since it just allocates only 100 bytes for storing theValue whereas when this format string is used "%.35f" it requires around 350 bytes to store the converted double.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@xalan.apache.org
For additional commands, e-mail: dev-***@xalan.apache.org
Sergey Kurenkov (JIRA)
2015-04-03 12:27:52 UTC
Permalink
[ https://issues.apache.org/jira/browse/XALANC-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sergey Kurenkov updated XALANC-762:
-----------------------------------
Description:
in functions
void
DOMStringHelper::NumberToCharacters(
double theValue,
FormatterListener& formatterListener,
MemberFunctionPtr function)

and

NumberToDOMString(
double theValue,
XalanDOMString& theResult)

an array is created on stack in order to convert theValue:
char theBuffer[MAX_PRINTF_DIGITS + 1];

If theValue is quite big for example 1.79769e+308 which is the biggest possible double value than theBuffer is overritten since it just allocates only 100 bytes for storing theValue whereas when this format string is used "%.35f" it requires around 350 bytes to store the converted double.


I think, first MAX_PRINTF_DIGITS is used by mistake in this context. Instead MAX_FLOAT_CHARACTERS should have been used. And MAX_FLOAT_CHARACTERS must be defined like this:

// The maximum number of characters for a floating point number. const size_t MAX_FLOAT_CHARACTERS = 400;

in order to have enough space to store 308 digits before the point, a point and up to 35 digits after the point and the NULL terminator at the end



was:
in functions
void
DOMStringHelper::NumberToCharacters(
double theValue,
FormatterListener& formatterListener,
MemberFunctionPtr function)

and

NumberToDOMString(
double theValue,
XalanDOMString& theResult)

an array is created on stack in order to convert theValue:
char theBuffer[MAX_PRINTF_DIGITS + 1];

If theValue is quite big for example 1.79769e+308 which is the biggest possible double value than theBuffer is overritten since it just allocates only 100 bytes for storing theValue whereas when this format string is used "%.35f" it requires around 350 bytes to store the converted double.
Post by Sergey Kurenkov (JIRA)
Stack is corrupted in DOMStringHelper::NumberToCharacters() if value is really big
----------------------------------------------------------------------------------
Key: XALANC-762
URL: https://issues.apache.org/jira/browse/XALANC-762
Project: XalanC
Issue Type: Bug
Components: XalanC
Affects Versions: 1.11
Reporter: Sergey Kurenkov
Assignee: Steven J. Hathaway
Priority: Minor
in functions
void
DOMStringHelper::NumberToCharacters(
double theValue,
FormatterListener& formatterListener,
MemberFunctionPtr function)
and
NumberToDOMString(
double theValue,
XalanDOMString& theResult)
char theBuffer[MAX_PRINTF_DIGITS + 1];
If theValue is quite big for example 1.79769e+308 which is the biggest possible double value than theBuffer is overritten since it just allocates only 100 bytes for storing theValue whereas when this format string is used "%.35f" it requires around 350 bytes to store the converted double.
// The maximum number of characters for a floating point number. const size_t MAX_FLOAT_CHARACTERS = 400;
in order to have enough space to store 308 digits before the point, a point and up to 35 digits after the point and the NULL terminator at the end
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@xalan.apache.org
For additional commands, e-mail: dev-***@xalan.apache.org
Nicolas GREGOIRE (JIRA)
2017-05-04 16:06:05 UTC
Permalink
[ https://issues.apache.org/jira/browse/XALANC-762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15996982#comment-15996982 ]

Nicolas GREGOIRE commented on XALANC-762:
-----------------------------------------

This 2-year old bug still exists and can be triggered with the following inputs.

[=] XSLT

<xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exsl="http://exslt.org/common" version="1.0">

<xsl:template match="@*|node()" mode="copy">
<a><b>
<xsl:value-of select="."/>
</b></a>
<xsl:value-of select="***"/>
<xsl:apply-templates select="@*|node()" mode="copy"/>
</xsl:template>

<xsl:template match="/">
<xsl:variable name="v"><xsl:apply-templates mode="copy"/></xsl:variable>
<xsl:apply-templates select="exsl:node-set($v)"/>
</xsl:template>

</xsl:transform>

[=] XML

<a b="1234567890123456789012345678901234567890"/>

[=] ASan output

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe60ae1125 at pc 0x7f0dc5ce59f5 bp 0x7ffe60ae0f40 sp 0x7ffe60ae06d0
WRITE of size 169 at 0x7ffe60ae1125 thread T0
#0 0x7f0dc5ce59f4 in __interceptor_vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x619f4)
#1 0x7f0dc5ce5cc9 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x61cc9)
#2 0x7f0dc077a750 in xalanc_1_11::DOMStringHelper::NumberToCharacters(double, xalanc_1_11::FormatterListener&, void (xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long)) /work/xalan-c/src/xalanc/PlatformSupport/DOMStringHelper.cpp:1471
#3 0x7f0dc0b19b0d in xalanc_1_11::XObject::string(double, xalanc_1_11::FormatterListener&, void (xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long)) /work/xalan-c/src/xalanc/XPath/XObject.hpp:485
#4 0x7f0dc0b19b0d in xalanc_1_11::XPath::mult(xalanc_1_11::XalanNode*, int const*, xalanc_1_11::XPathExecutionContext&, xalanc_1_11::FormatterListener&, void (xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long)) const /work/xalan-c/src/xalanc/XPath/XPath.cpp:1982
#5 0x7f0dc0b27ec9 in xalanc_1_11::XPath::executeMore(xalanc_1_11::XalanNode*, int const*, xalanc_1_11::XPathExecutionContext&, xalanc_1_11::FormatterListener&, void (xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long)) const /work/xalan-c/src/xalanc/XPath/XPath.cpp:1149
#6 0x7f0dc1657d6a in xalanc_1_11::XPath::execute(xalanc_1_11::PrefixResolver const&, xalanc_1_11::XPathExecutionContext&, xalanc_1_11::FormatterListener&, void (xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long)) const /work/xalan-c/src/xalanc/XPath/XPath.hpp:761
#7 0x7f0dc1657d6a in xalanc_1_11::ElemValueOf::startElement(xalanc_1_11::StylesheetExecutionContext&) const /work/xalan-c/src/xalanc/XSLT/ElemValueOf.cpp:286
#8 0x7f0dc1665e74 in xalanc_1_11::ElemTemplateElement::execute(xalanc_1_11::StylesheetExecutionContext&) const /work/xalan-c/src/xalanc/XSLT/ElemTemplateElement.cpp:253
#9 0x7f0dc14dea16 in xalanc_1_11::StylesheetRoot::process(xalanc_1_11::XalanNode*, xalanc_1_11::XSLTResultTarget&, xalanc_1_11::StylesheetExecutionContext&) const /work/xalan-c/src/xalanc/XSLT/StylesheetRoot.cpp:267
#10 0x7f0dc15e40c5 in xalanc_1_11::XSLTEngineImpl::process(xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTResultTarget&, xalanc_1_11::StylesheetConstructionContext&, xalanc_1_11::StylesheetExecutionContext&) /work/xalan-c/src/xalanc/XSLT/XSLTEngineImpl.cpp:402
#11 0x7f0dc18aba72 in xalanc_1_11::XalanTransformer::doTransform(xalanc_1_11::XalanParsedSource const&, xalanc_1_11::XalanCompiledStylesheet const*, xalanc_1_11::XSLTInputSource const*, xalanc_1_11::XSLTResultTarget const&) /work/xalan-c/src/xalanc/XalanTransformer/XalanTransformer.cpp:1420
#12 0x7f0dc18ae32f in xalanc_1_11::XalanTransformer::transform(xalanc_1_11::XalanParsedSource const&, xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTResultTarget const&) /work/xalan-c/src/xalanc/XalanTransformer/XalanTransformer.hpp:193
#13 0x7f0dc18ae32f in xalanc_1_11::XalanTransformer::transform(xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTResultTarget const&) /work/xalan-c/src/xalanc/XalanTransformer/XalanTransformer.cpp:355
#14 0x418218 in transform(xalanc_1_11::XalanTransformer&, Params const&, xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTResultTarget const&) /work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:645
#15 0x418218 in transform(xalanc_1_11::XalanTransformer&, Params const&, xalanc_1_11::XSLTInputSource const&, xalanc_1_11::XSLTInputSource const&) /work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:763
#16 0x408e86 in transform(xalanc_1_11::XalanTransformer&, Params const&, xalanc_1_11::XSLTInputSource const&) /work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:795
#17 0x408e86 in transform(xalanc_1_11::XalanTransformer&, Params const&) /work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:821
#18 0x408e86 in xsltMain(int, char**) /work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:960
#19 0x409fa6 in main /work/xalan-c/src/xalanc/XalanExe/XalanExe.cpp:996
#20 0x7f0dbb76a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x403bc8 in _start (/usr/local/bin/Xalan+0x403bc8)

Address 0x7ffe60ae1125 is located in stack of thread T0 at offset 133 in frame
#0 0x7f0dc0779f03 in xalanc_1_11::DOMStringHelper::NumberToCharacters(double, xalanc_1_11::FormatterListener&, void (xalanc_1_11::FormatterListener::*)(unsigned short const*, unsigned long)) /work/xalan-c/src/xalanc/PlatformSupport/DOMStringHelper.cpp:1425

This frame has 2 object(s):
[32, 133) 'theBuffer'
[192, 394) 'theResult' <== Memory access at offset 133 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __interceptor_vsprintf
Post by Sergey Kurenkov (JIRA)
Stack is corrupted in DOMStringHelper::NumberToCharacters() if value is really big
----------------------------------------------------------------------------------
Key: XALANC-762
URL: https://issues.apache.org/jira/browse/XALANC-762
Project: XalanC
Issue Type: Bug
Components: XalanC
Affects Versions: 1.11
Reporter: Sergey Kurenkov
Assignee: Steven J. Hathaway
Priority: Minor
in functions
void
DOMStringHelper::NumberToCharacters(
double theValue,
FormatterListener& formatterListener,
MemberFunctionPtr function)
and
NumberToDOMString(
double theValue,
XalanDOMString& theResult)
char theBuffer[MAX_PRINTF_DIGITS + 1];
If theValue is quite big for example 1.79769e+308 which is the biggest possible double value than theBuffer is overritten since it just allocates only 100 bytes for storing theValue whereas when this format string is used "%.35f" it requires around 350 bytes to store the converted double.
// The maximum number of characters for a floating point number. const size_t MAX_FLOAT_CHARACTERS = 400;
in order to have enough space to store 308 digits before the point, a point and up to 35 digits after the point and the NULL terminator at the end
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@xalan.apache.org
For additional commands, e-mail: dev-***@xalan.apache.org

Loading...