aniani/elinks
1
0
Fork 0
mirror of https://github.com/rkd77/elinks.git synced 2024-12-04 14:46:47 -05:00
Code

Debian bug 380347: Prevent a buffer overflow in entity_cache.

Browse Source
This commit is contained in:
Kalle Olavi Niemitalo 2007-05-01 11:23:25 +03:00 committed by Kalle Olavi Niemitalo
parent c0f488251f
commit 341d54151f
2 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@ -114,6 +114,7 @@ roughly in decreasing order of importance.
if the terminal uses some other charset. if the terminal uses some other charset.
- (bugfix 947) document.html.wrap_html also affects text in tables. - (bugfix 947) document.html.wrap_html also affects text in tables.
- (bugfix 816) Convert entity references in input/@value only once. - (bugfix 816) Convert entity references in input/@value only once.
- (Debian bug 380347) Prevent a buffer overflow in entity_cache.
* Changes in parsing and rendering of non-HTML content-types * Changes in parsing and rendering of non-HTML content-types
- (new feature 121) If a mailcap entry indicates copiousoutput, - (new feature 121) If a mailcap entry indicates copiousoutput,
ELinks itself acts as a pager. ELinks itself acts as a pager.

24
src/intl/charsets.c
View File

@ -1129,7 +1129,17 @@ skip:
end: end:
/* Take care of potential buffer overflow. */ /* Take care of potential buffer overflow. */
if (strlen < sizeof(entity_cache[slen][0].str)) { if (strlen < sizeof(entity_cache[slen][0].str)) {
struct entity_cache *ece = &entity_cache[slen][nb_entity_cache[slen]]; struct entity_cache *ece;
/* Sort entries by hit order. */
if (nb_entity_cache[slen] > 1)
qsort(&entity_cache[slen][0], nb_entity_cache[slen],
sizeof(entity_cache[slen][0]), (void *) hits_cmp);
/* Increment number of cache entries if possible.
* Else, just replace the least used entry. */
if (nb_entity_cache[slen] < ENTITY_CACHE_SIZE) nb_entity_cache[slen]++;
ece = &entity_cache[slen][nb_entity_cache[slen] - 1];
/* Copy new entry to cache. */ /* Copy new entry to cache. */
ece->hits = 1; ece->hits = 1;
@ -1139,21 +1149,11 @@ end:
memcpy(ece->str, str, strlen); memcpy(ece->str, str, strlen);
ece->str[strlen] = '\0'; ece->str[strlen] = '\0';
/* Increment number of cache entries if possible. */
if (nb_entity_cache[slen] < ENTITY_CACHE_SIZE) nb_entity_cache[slen]++;
#ifdef DEBUG_ENTITY_CACHE #ifdef DEBUG_ENTITY_CACHE
fprintf(stderr, "Added in [%u]: l=%d st='%s'\n", slen, fprintf(stderr, "Added in [%u]: l=%d st='%s'\n", slen,
entity_cache[slen][0].strlen, entity_cache[slen][0].str); entity_cache[slen][0].strlen, entity_cache[slen][0].str);
#endif
/* Sort entries by hit order. */
if (nb_entity_cache[slen] > 1)
qsort(&entity_cache[slen][0], nb_entity_cache[slen],
sizeof(entity_cache[slen][0]), (void *) hits_cmp);
#ifdef DEBUG_ENTITY_CACHE
{ {
unsigned int i; unsigned int i;
@ -1164,7 +1164,7 @@ end:
entity_cache[slen][i].str); entity_cache[slen][i].str);
fprintf(stderr, "-----------------\n"); fprintf(stderr, "-----------------\n");
} }
#endif #endif /* DEBUG_ENTITY_CACHE */
} }
return result; return result;
} }