Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8029955

AIOB in XMLEntityScanner.scanLiteral upon parsing literals with > 100 LF chars

    XMLWordPrintable

Details

    • 6
    • b122
    • Verified

    Backports

      Description

        FULL PRODUCT VERSION :
        Applicable to all versions I've tried, including latest tip from mercurial.

        ADDITIONAL OS VERSION INFORMATION :
        Applicable to all.

        A DESCRIPTION OF THE PROBLEM :
        There is a hardcoded buffer for parsing literals in XMLEntityScanner.

        int [] whiteSpaceLookup = new int[100];

        And there is later a loop that doesn't check if this buffer if overrun:

                    for ( i = offset; i < fCurrentEntity.position; i++) {
                        fCurrentEntity.ch[i] = '
        ';
                        whiteSpaceLookup[whiteSpaceLen++]=i;
                    }

        Which leads to easy-to-hit exceptions from the parser (odd XML, true, but valid). Reproducible code sample:

        import java.io.StringReader;

        import org.xml.sax.InputSource;
        import org.xml.sax.XMLReader;
        import org.xml.sax.helpers.XMLReaderFactory;

        public class Foo {
          public static void main(String[] args) throws Exception {
            StringBuilder builder = new StringBuilder();
            builder.append("<root attr=\"");
            for (int i = 0; i < 200; i++) {
              builder.append("
        ");
            }
            builder.append("foo.");
            builder.append("\" />");
            final XMLReader reader = XMLReaderFactory.createXMLReader();
            System.out.println(reader.getClass().getName());
            reader.parse(new InputSource(new StringReader(builder.toString())));
          }
        }


        ADDITIONAL REGRESSION INFORMATION:
        This is a long-standing issue. It's been reported to us back in 2011, but at the time I didn't inspect it closely (shame on me).

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Parse an XML with an attribute containing more than 100 LF chars.

        import java.io.StringReader;

        import org.xml.sax.InputSource;
        import org.xml.sax.XMLReader;
        import org.xml.sax.helpers.XMLReaderFactory;

        public class Foo {
          public static void main(String[] args) throws Exception {
            StringBuilder builder = new StringBuilder();
            builder.append("<root attr=\"");
            for (int i = 0; i < 200; i++) {
              builder.append("
        ");
            }
            builder.append("foo.");
            builder.append("\" />");
            final XMLReader reader = XMLReaderFactory.createXMLReader();
            System.out.println(reader.getClass().getName());
            reader.parse(new InputSource(new StringReader(builder.toString())));
          }
        }


        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Should parse.
        ACTUAL -
        Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 100
        at com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.scanLiteral(XMLEntityScanner.java:1145)
        at com.sun.org.apache.xerces.internal.impl.XMLScanner.scanAttributeValue(XMLScanner.java:948)
        at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanAttribute(XMLNSDocumentScannerImpl.java:436)
        at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:253)
        at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl$NSContentDriver.scanRootElementHook(XMLNSDocumentScannerImpl.java:602)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:3116)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:880)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
        at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:116)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
        at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:846)
        at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:775)
        at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:123)
        at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1210)


        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        Parse an XML with an attribute containing more than 100 LF chars.

        import java.io.StringReader;

        import org.xml.sax.InputSource;
        import org.xml.sax.XMLReader;
        import org.xml.sax.helpers.XMLReaderFactory;

        public class Foo {
          public static void main(String[] args) throws Exception {
            StringBuilder builder = new StringBuilder();
            builder.append("<root attr=\"");
            for (int i = 0; i < 200; i++) {
              builder.append("
        ");
            }
            builder.append("foo.");
            builder.append("\" />");
            final XMLReader reader = XMLReaderFactory.createXMLReader();
            System.out.println(reader.getClass().getName());
            reader.parse(new InputSource(new StringReader(builder.toString())));
          }
        }

        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        Rewrite the fixed-width buffer routine.

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8031256 AIOB in XMLEntityScanner.scanLiteral upon parsing literals with > 100 LF chars

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8280249 AIOB in XMLEntityScanner.scanLiteral upon parsing literals with > 100 LF chars

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8030973 AIOB in XMLEntityScanner.scanLiteral upon parsing literals with > 100 LF chars

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8153676 AIOB in XMLEntityScanner.scanLiteral upon parsing literals with > 100 LF chars

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8153735 AIOB in XMLEntityScanner.scanLiteral upon parsing literals with > 100 LF chars

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-8031979 javax/xml/jaxp/parsers/8029955/EntityScannerTest.java fails on cpu build

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed

            Activity

              People

                joehw Joe Wang
                asaha Abhijit Saha
                Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: