Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expected either attr limit (2147483647) >= currAttrSize (0) OR >= outBuf.length (96) #122

Closed
j3rem1e opened this issue Feb 3, 2021 · 2 comments
Closed

Expected either attr limit (2147483647) >= currAttrSize (0) OR >= outBuf.length (96) #122

j3rem1e opened this issue Feb 3, 2021 · 2 comments
Milestone
6.2.4

Comments

@j3rem1e
Copy link

j3rem1e commented Feb 3, 2021

After upgrading my application to woodstock v6.2.x, importing xml failed with this exception :

Caused by: java.lang.RuntimeException: Internal error: Expected either attr limit (2147483647) >= currAttrSize (0) OR >= outBuf.length (96)
	at com.ctc.wstx.util.ExceptionUtil.throwInternal(ExceptionUtil.java:69) ~[?:?]
	at com.ctc.wstx.sr.BasicStreamReader._checkAttributeLimit(BasicStreamReader.java:2056) ~[?:?]
	at com.ctc.wstx.sr.BasicStreamReader.parseAttrValue(BasicStreamReader.java:2038) ~[?:?]
	at com.ctc.wstx.sr.BasicStreamReader.handleNsAttrs(BasicStreamReader.java:3144) ~[?:?]
	at com.ctc.wstx.sr.BasicStreamReader.handleStartElem(BasicStreamReader.java:3042) ~[?:?]
	at com.ctc.wstx.sr.BasicStreamReader.handleRootElem(BasicStreamReader.java:2188) ~[?:?]
	at com.ctc.wstx.sr.BasicStreamReader.nextFromProlog(BasicStreamReader.java:2168) ~[?:?]
	at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1180) ~[?:?]

downgrading to v6.0.2 fixes it.

I don't really understand what the message means.. ;)

The code looks like the following :

public static void checkSVG(final String svg) {
	boolean allowed = true;

	XMLInputFactory factory = XMLInputFactory.newInstance();
	factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
	factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
	factory.setProperty("com.ctc.wstx.maxAttributeSize", Integer.MAX_VALUE);

	XMLStreamReader reader = factory.createXMLStreamReader(new StringReader(svg))
	try {
		while (reader.hasNext()) {
			if (reader.next() == XMLEvent.START_ELEMENT) {

				if (!WHITELIST_ELEMENTS.contains(reader.getLocalName())) {
					allowed = false;
				}
				
				int attcount = reader.getAttributeCount();
				for (int i = 0; i < attcount; ++i) {
					String attName = reader.getAttributeLocalName(i); 
					if (!WHITELIST_ATTRIBUTES.contains(attName)) {
						allowed = false;
					}
				}
			}
		}
	} catch (final XMLStreamException e) {
		ExceptionUtils.throwRuntimeException(e);
	}
	
	if (!allowed) {
		throw new SecurityException("xxx");
	}
}
@cowtowncoder
Copy link
Member

This is probably a bug in Woodstox code, and I am guessing result of fix for #112. It'd be great if you could come up with a test case to reproduce it as it's bit tricky to reproduce otherwise... although I can try.

The thing that I think triggers this is likely this line:

factory.setProperty("com.ctc.wstx.maxAttributeSize", Integer.MAX_VALUE);

because value is simply added to offset and I think that will cause integer overflow.
So a work-around would be just using, say:

factory.setProperty("com.ctc.wstx.maxAttributeSize", Integer.MAX_VALUE/2);

which I suspect would prevent the problem.

But I'd like to fix the problem itself.

@cowtowncoder cowtowncoder modified the milestones: 6.2.0, 6.2.4 Feb 11, 2021
@cowtowncoder
Copy link
Member

Was able to reproduce this easily. Fixed, releasing 6.2.4 now since this is pretty gnarly bug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.2.4
Development

No branches or pull requests
2 participants
@cowtowncoder @j3rem1e