mirror of
https://github.com/rkd77/elinks.git
synced 2024-12-04 14:46:47 -05:00
Debian bug 380347: Prevent a buffer overflow in entity_cache.
This commit is contained in:
parent
c0f488251f
commit
341d54151f
1
NEWS
1
NEWS
@ -114,6 +114,7 @@ roughly in decreasing order of importance.
|
||||
if the terminal uses some other charset.
|
||||
- (bugfix 947) document.html.wrap_html also affects text in tables.
|
||||
- (bugfix 816) Convert entity references in input/@value only once.
|
||||
- (Debian bug 380347) Prevent a buffer overflow in entity_cache.
|
||||
* Changes in parsing and rendering of non-HTML content-types
|
||||
- (new feature 121) If a mailcap entry indicates copiousoutput,
|
||||
ELinks itself acts as a pager.
|
||||
|
@ -1129,7 +1129,17 @@ skip:
|
||||
end:
|
||||
/* Take care of potential buffer overflow. */
|
||||
if (strlen < sizeof(entity_cache[slen][0].str)) {
|
||||
struct entity_cache *ece = &entity_cache[slen][nb_entity_cache[slen]];
|
||||
struct entity_cache *ece;
|
||||
|
||||
/* Sort entries by hit order. */
|
||||
if (nb_entity_cache[slen] > 1)
|
||||
qsort(&entity_cache[slen][0], nb_entity_cache[slen],
|
||||
sizeof(entity_cache[slen][0]), (void *) hits_cmp);
|
||||
|
||||
/* Increment number of cache entries if possible.
|
||||
* Else, just replace the least used entry. */
|
||||
if (nb_entity_cache[slen] < ENTITY_CACHE_SIZE) nb_entity_cache[slen]++;
|
||||
ece = &entity_cache[slen][nb_entity_cache[slen] - 1];
|
||||
|
||||
/* Copy new entry to cache. */
|
||||
ece->hits = 1;
|
||||
@ -1139,21 +1149,11 @@ end:
|
||||
memcpy(ece->str, str, strlen);
|
||||
ece->str[strlen] = '\0';
|
||||
|
||||
/* Increment number of cache entries if possible. */
|
||||
if (nb_entity_cache[slen] < ENTITY_CACHE_SIZE) nb_entity_cache[slen]++;
|
||||
|
||||
#ifdef DEBUG_ENTITY_CACHE
|
||||
fprintf(stderr, "Added in [%u]: l=%d st='%s'\n", slen,
|
||||
entity_cache[slen][0].strlen, entity_cache[slen][0].str);
|
||||
|
||||
#endif
|
||||
|
||||
/* Sort entries by hit order. */
|
||||
if (nb_entity_cache[slen] > 1)
|
||||
qsort(&entity_cache[slen][0], nb_entity_cache[slen],
|
||||
sizeof(entity_cache[slen][0]), (void *) hits_cmp);
|
||||
|
||||
#ifdef DEBUG_ENTITY_CACHE
|
||||
{
|
||||
unsigned int i;
|
||||
|
||||
@ -1164,7 +1164,7 @@ end:
|
||||
entity_cache[slen][i].str);
|
||||
fprintf(stderr, "-----------------\n");
|
||||
}
|
||||
#endif
|
||||
#endif /* DEBUG_ENTITY_CACHE */
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user