heap-buffer-overflow when identityref typed field value exceeds 65535 length.

[Amar0589]

Below is the rpc request :

Below is the callstack

==26624==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xa8fad404 at pc 0xaea6c963 bp 0xb1c32e38 sp 0xb1c32e2c
WRITE of size 4 at 0xa8fad404 thread T17 (DefSch0300)
#0 0xaea6c962 in exp_add_token /usr1/code/libyang/yang/xpath.c:1477
#1 0xaea6c962 in lyxp_parse_expr /usr1/code/libyang/yang/xpath.c:2519
#2 0xae89c958 in transform_xml2json /usr1/code/libyang/yang/common.c:536
#3 0xae8b8b56 in lyp_parse_value /usr1/code/libyang/yang/parser.c:1745
#4 0xae8d9a08 in xml_get_value /usr1/code/libyang/yang/parser_xml.c:105
#5 0xae8d9a08 in xml_parse_data /usr1/code/libyang/yang/parser_xml.c:471
#6 0xae8d92ab in xml_parse_data /usr1/code/libyang/yang/parser_xml.c:517
#7 0xae8d92ab in xml_parse_data /usr1/code/libyang/yang/parser_xml.c:517
#8 0xae8d92ab in xml_parse_data /usr1/code/libyang/yang/parser_xml.c:517
#9 0xae8db2a8 in lyd_parse_xml /usr1/code/libyang/yang/parser_xml.c:680

Root cause may be below

[michalvasko]

Hi,
in the current devel this situation should be detected and an error displayed instead of a buffer overflow. That is all we can do, we will not increase the size, your use-case is not valid as a real situation.

Regards,
Michal

[Amar0589]

ok thanks