Debian bug 380347: Prevent a buffer overflow in entity_cache.

[ From commit 341d54151f in ELinks
  0.12.GIT.  --KON ]

src/intl/charsets.c

@@ -548,7 +548,17 @@ get_entity_string(const unsigned char *str, const int strlen, int encoding)
 end:
 	/* Take care of potential buffer overflow. */
 	if (strlen < sizeof(entity_cache[slen][0].str)) {
-		struct entity_cache *ece = &entity_cache[slen][nb_entity_cache[slen]];
+		struct entity_cache *ece;
+
+		/* Sort entries by hit order. */
+		if (nb_entity_cache[slen] > 1)
+			qsort(&entity_cache[slen][0], nb_entity_cache[slen],
+			      sizeof(entity_cache[slen][0]), (void *) hits_cmp);
+
+		/* Increment number of cache entries if possible.
+		 * Else, just replace the least used entry.  */
+		if (nb_entity_cache[slen] < ENTITY_CACHE_SIZE) nb_entity_cache[slen]++;
+		ece = &entity_cache[slen][nb_entity_cache[slen] - 1];
 
 		/* Copy new entry to cache. */
 		ece->hits = 1;
@@ -558,21 +568,11 @@ end:
 		memcpy(ece->str, str, strlen);
 		ece->str[strlen] = '\0';
 
-		/* Increment number of cache entries if possible. */
-		if (nb_entity_cache[slen] < ENTITY_CACHE_SIZE) nb_entity_cache[slen]++;
 
 #ifdef DEBUG_ENTITY_CACHE
 		fprintf(stderr, "Added in [%u]: l=%d st='%s'\n", slen,
 				entity_cache[slen][0].strlen, entity_cache[slen][0].str);
 
-#endif
-
-		/* Sort entries by hit order. */
-		if (nb_entity_cache[slen] > 1)
-			qsort(&entity_cache[slen][0], nb_entity_cache[slen],
-			      sizeof(entity_cache[slen][0]), (void *) hits_cmp);
-
-#ifdef DEBUG_ENTITY_CACHE
 	{
 		unsigned int i;
 
@@ -583,7 +583,7 @@ end:
 				entity_cache[slen][i].str);
 		fprintf(stderr, "-----------------\n");
 	}
-#endif
+#endif	/* DEBUG_ENTITY_CACHE */
 	}
 	return result;
 }