We're using boost/rapidxml for XML parsing in a pub/sub broker implementation and for a certain XML payload, the broker crashes.
To eliminate as many variables as possible, I have implemented a short test program doing only the XML parse, and the crash is similar.
My short test program is found here:
#include <stdio.h> // printf
#include <unistd.h> // read
#include <sys/types.h> // open
#include <sys/stat.h> // open
#include <fcntl.h> // open
#include <errno.h> // errno
#include <string.h> // strerror
#include "rapidxml.hpp"
#ifdef LONG_RAPIDXML_NAME_SPACE
// boost version >= 1.45
using namespace boost::property_tree::detail::rapidxml;
#else
// boost version <= 1.44
using namespace rapidxml;
#endif
/* ****************************************************************************
*
* xmlTreePresent -
*/
static void xmlTreePresent(xml_node<>* nodeP, std::string indent, int depth = 0)
{
static int callNo = 0;
++callNo;
if(nodeP == NULL)
{
printf("%sNULL NODE\n", indent.c_str());
}
char* name = nodeP->name();
char* value = nodeP->value();
printf("%s%s (%s) (call %d, depth %d)\n", indent.c_str(), name, value, callNo, depth);
xml_node<>* child = nodeP->first_node();
while(child != NULL)
{
printf("%schild at %p\n", indent.c_str(), child);
printf("%schild->name() at %p\n", indent.c_str(), child->name());
if((child->name() != NULL) && (child->name()[0] != 0))
{
xmlTreePresent(child, indent + " ", depth + 1);
}
child = child->next_sibling();
}
}
/* ****************************************************************************
*
* xmlDocPrepare -
*/
static xml_node<>* xmlDocPrepare(char* xml)
{
xml_document<> doc;
try
{
doc.parse<0>(xml);
}
catch(parse_error& e)
{
printf("PARSE ERROR: %s\n", e.what());
return NULL;
}
catch(...)
{
printf("GENERIC ERROR during doc.parse\n");
return NULL;
}
xml_node<>* father = doc.first_node();
return father;
}
/* ****************************************************************************
*
* main -
*/
int main(int argC, char* argV[])
{
char* fileName = argV[1];
int fd;
if((fd = open(fileName, O_RDONLY)) == -1)
{
printf("open('%s'): %s", fileName, strerror(errno));
exit(1);
}
struct stat statBuf;
if(stat(fileName, &statBuf) != 0)
{
printf("stat('%s'): %s", fileName, strerror(errno));
exit(2);
}
char* buf = (char*) calloc(1, statBuf.st_size + 1);
if(buf == NULL)
{
printf("calloc(%lu): %s", statBuf.st_size + 1, strerror(errno));
exit(3);
}
int nb = read(fd, buf, statBuf.st_size);
if(nb == -1)
{
printf("read('%s'): %s", fileName, strerror(errno));
exit(4);
}
else if(nb != statBuf.st_size)
{
printf("read %d characters, wanted %lu", nb, statBuf.st_size);
exit(5);
}
xml_node<>* father = xmlDocPrepare((char*) buf);
xmlTreePresent(father, "");
return 0;
}
A sample input XML is here: http://pastebin.com/rYiDjP7E
I have tried both in Ubuntu (libboost_serialization.so.1.49.0) and in CentOS (libboost_serialization.so.5) and I get similar crashes.
[ I'm not sure but I think boost property tree resides in the serialization library ... ]
It gets a little further in CentOS but ends up in a similar crash.
More than thankful for help here, we have users waiting for a fix ...
