Crashes in InsertInDefaultNameSpacePrefixMap #101
Description
Hi all,
We're using the latest version (v2023.12) on an iOS app, and we're seeing random crashes (segmentation faults) with the following stack:
Thread 12 Crashed:
0 Switcher 0x0000000103bcdd04 AdobeXMPCore_Int::INameSpacePrefixMap_I::InsertInDefaultNameSpacePrefixMap(char const*, unsigned long long, char const*, unsigned long long) + 19881220 (NameSpacePrefixMapImpl.cpp:286)
1 Switcher 0x0000000103becaec XMPMeta::RegisterNamespace(char const*, char const*, char const**, unsigned int*) + 20007660 (XMPMeta.cpp:1062)
2 Switcher 0x0000000103c1f948 addBinding + 20216136 (xmlparse.c:0)
3 Switcher 0x0000000103c1e734 storeAtts + 20211508 (xmlparse.c:0)
4 Switcher 0x0000000103c1d998 doContent + 20208024 (xmlparse.c:2962)
5 Switcher 0x0000000103c1c728 contentProcessor + 20203304 (xmlparse.c:2621)
6 Switcher 0x0000000103c1c204 prologProcessor + 20201988 (xmlparse.c:4607)
7 Switcher 0x0000000103c1ac34 XML_ParseBuffer + 20196404 (xmlparse.c:2018)
8 Switcher 0x0000000103bb8780 ExpatAdapter::ParseBuffer(void const*, unsigned long, bool) + 19793792 (ExpatAdapter.cpp:154)
9 Switcher 0x0000000103be863c ProcessUTF8Portion(XMLParserAdapter*, unsigned char const*, unsigned long, bool) + 19990076 (XMPMeta-Parse.cpp:1027)
10 Switcher 0x0000000103be81fc XMPMeta::ProcessXMLBuffer(char const*, unsigned int, bool) + 19988988 (XMPMeta-Parse.cpp:1168)
11 Switcher 0x0000000103be88ac XMPMeta::ParseFromBuffer(char const*, unsigned int, unsigned int) + 19990700 (XMPMeta-Parse.cpp:1250)
12 Switcher 0x0000000103bddf10 WXMPMeta_ParseFromBuffer_1 + 19947280 (WXMPMeta.cpp:1203)
13 Switcher 0x00000001029691b8 TXMPMeta<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>::ParseFromBuffer(char const*, unsigned int, unsigned int) + 594360 (TXMPMeta.incl_cpp:861)
14 Switcher 0x0000000103c432dc PNG_MetaHandler::ProcessXMP() + 20361948 (PNG_Handler.cpp:0)
15 Switcher 0x0000000103ca41ec XMPFiles::GetXMP(TXMPMeta<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>*, char const**, unsigned int*, XMP_PacketInfo*) + 20759020 (XMPFiles.cpp:1511)
16 Switcher 0x0000000103ca2cdc WXMPFiles_GetXMP_1 + 20753628 (WXMPFiles.cpp:0)
17 Switcher 0x000000010296ab5c TXMPFiles<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>::GetXMP(TXMPMeta<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>*, XMP_PacketInfo*) + 600924 (TXMPFiles.incl_cpp:382)
18 Switcher 0x000000010296adb8 _read(char const*, unsigned int, swixmp_metadata**) + 601528 (swixmp.cpp:142)
Here's our code in the _read function:
XMP_OptionBits opts = kXMPFiles_OpenForRead | kXMPFiles_OpenStrictly;
SXMPFiles f;
SXMPMeta xmp;
try {
if (!f.OpenFile(path, format, opts)) {
printf("swixmp: _read: failed to open file: %s\n", path);
return SWIXMP_RESULT_CANNOT_OPEN;
}
f.GetXMP(&xmp);
The crash is in NameSpacePrefixMapImpl.cpp line 286:
bool INameSpacePrefixMap_I::InsertInDefaultNameSpacePrefixMap( const char * prefix, sizet prefixLength, const char * nameSpace, sizet nameSpaceLength ) {
return ManageDefaultNameSpacePrefixMap( false )->Insert( prefix, prefixLength, nameSpace, nameSpaceLength );
}
It looks like ManageDefaultNameSpacePrefixMap( false ) is returning an invalid pointer, and the value is not checked before calling Insert.