Instrument Futag found this error with tinyxml2 version 9.0.0 and in current version.
|
/*static*/ const char* XMLDocument::ErrorIDToName(XMLError errorID) |
|
{ |
|
TIXMLASSERT( errorID >= 0 && errorID < XML_ERROR_COUNT ); |
|
const char* errorName = _errorNames[errorID]; |
|
TIXMLASSERT( errorName && errorName[0] ); |
|
return errorName; |
|
} |
errorID is a variable of XMLError type, which can receive value from XML_SUCCESS (0) to XML_ERROR_COUNT (19)
|
enum XMLError { |
|
XML_SUCCESS = 0, |
|
XML_NO_ATTRIBUTE, |
|
XML_WRONG_ATTRIBUTE_TYPE, |
|
XML_ERROR_FILE_NOT_FOUND, |
|
XML_ERROR_FILE_COULD_NOT_BE_OPENED, |
|
XML_ERROR_FILE_READ_ERROR, |
|
XML_ERROR_PARSING_ELEMENT, |
|
XML_ERROR_PARSING_ATTRIBUTE, |
|
XML_ERROR_PARSING_TEXT, |
|
XML_ERROR_PARSING_CDATA, |
|
XML_ERROR_PARSING_COMMENT, |
|
XML_ERROR_PARSING_DECLARATION, |
|
XML_ERROR_PARSING_UNKNOWN, |
|
XML_ERROR_EMPTY_DOCUMENT, |
|
XML_ERROR_MISMATCHED_ELEMENT, |
|
XML_ERROR_PARSING, |
|
XML_CAN_NOT_CONVERT_TEXT, |
|
XML_NO_TEXT_NODE, |
|
XML_ELEMENT_DEPTH_EXCEEDED, |
|
|
|
XML_ERROR_COUNT |
|
}; |
The _errorNames array has 19 elements (from 0 to 18) and was defined here:
|
const char* XMLDocument::_errorNames[XML_ERROR_COUNT] = { |
|
"XML_SUCCESS", |
|
"XML_NO_ATTRIBUTE", |
|
"XML_WRONG_ATTRIBUTE_TYPE", |
|
"XML_ERROR_FILE_NOT_FOUND", |
|
"XML_ERROR_FILE_COULD_NOT_BE_OPENED", |
|
"XML_ERROR_FILE_READ_ERROR", |
|
"XML_ERROR_PARSING_ELEMENT", |
|
"XML_ERROR_PARSING_ATTRIBUTE", |
|
"XML_ERROR_PARSING_TEXT", |
|
"XML_ERROR_PARSING_CDATA", |
|
"XML_ERROR_PARSING_COMMENT", |
|
"XML_ERROR_PARSING_DECLARATION", |
|
"XML_ERROR_PARSING_UNKNOWN", |
|
"XML_ERROR_EMPTY_DOCUMENT", |
|
"XML_ERROR_MISMATCHED_ELEMENT", |
|
"XML_ERROR_PARSING", |
|
"XML_CAN_NOT_CONVERT_TEXT", |
|
"XML_NO_TEXT_NODE", |
|
"XML_ELEMENT_DEPTH_EXCEEDED" |
|
}; |
So, when errorID gets XML_ERROR_COUNT value, error occurs at instruction const char* errorName = _errorNames[errorID];
The generated fuzzing wrapper is attached below.
ErrorIDToName1.cpp.zip
Instrument Futag found this error with tinyxml2 version 9.0.0 and in current version.
tinyxml2/tinyxml2.cpp
Lines 2501 to 2507 in e45d9d1
errorID is a variable of XMLError type, which can receive value from XML_SUCCESS (0) to XML_ERROR_COUNT (19)
tinyxml2/tinyxml2.h
Lines 523 to 545 in e45d9d1
The _errorNames array has 19 elements (from 0 to 18) and was defined here:
tinyxml2/tinyxml2.cpp
Lines 2136 to 2156 in e45d9d1
So, when errorID gets XML_ERROR_COUNT value, error occurs at instruction
const char* errorName = _errorNames[errorID];The generated fuzzing wrapper is attached below.
ErrorIDToName1.cpp.zip