[
https://issues.apache.org/jira/browse/XERCESC-2179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16966743#comment-16966743
]
Alberto Massari edited comment on XERCESC-2179 at 11/4/19 3:23 PM:
-------------------------------------------------------------------
The current code in the trunk is here:
[http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l159]
{code}
{
163 unsigned long theType;
164 unsigned long theSize = nameBufSz;
165 return (::RegQueryValueExA
166 (
167 encodingKey
168 , "AliasForCharset"
169 , 0
170 , &theType
171 , (unsigned char*)aliasBuf
172 , &theSize
173 ) == ERROR_SUCCESS);
174 }
{code}
theType is not unsigned int, it's unsigned long that is identical to DWORD
theType after the preprocessor expands the macro.
was (Author: amassari):
The current code in the trunk is here:
[http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l159]
|{|
|[163|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l163]|unsigned
long theType;|
|[164|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l164]|unsigned
long theSize = nameBufSz;|
|[165|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l165]|return
(::RegQueryValueExA|
|[166|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l166]|(|
|[167|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l167]|encodingKey|
|[168|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l168]|,
"AliasForCharset"|
|[169|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l169]|,
0|
|[170|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l170]|,
&theType|
|[171|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l171]|,
(unsigned char*)aliasBuf|
|[172|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l172]|,
&theSize|
|[173|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l173]|)
== ERROR_SUCCESS);|
|[174|http://svn.apache.org/viewvc/xerces/c/trunk/src/xercesc/util/Transcoders/Win32/Win32TransService.cpp?view=markup#l174]|}|
theType is not unsigned int, it's unsigned long that is identical to DWORD
theType after the preprocessor expands the macro.
> access violation in win32transservice.cpp with 64 bit compile
> -------------------------------------------------------------
>
> Key: XERCESC-2179
> URL: https://issues.apache.org/jira/browse/XERCESC-2179
> Project: Xerces-C++
> Issue Type: Bug
> Components: DOM
> Affects Versions: 3.2.2
> Reporter: martin goodall
> Assignee: Alberto Massari
> Priority: Blocker
> Fix For: 3.2.3
>
> Attachments: Win32TransService.cpp
>
>
> calls to ::Reg... to get registry info are passing in stack variables that
> are 8 bytes long into functions that overwrite 16 bytes, causing memory
> overwrite and very random segs.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
