aniani/elinks
1
0
Fork 0
mirror of https://github.com/rkd77/elinks.git synced 2024-06-27 01:25:34 +00:00
Code

DOM: Fix checking of out-of-bound access to scanned strings

Browse Source
This commit is contained in:
Jonas Fonseca 2006-01-29 12:12:41 +01:00 committed by Jonas Fonseca
parent ca5a5f230a
commit 9fe0608bd2
1 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/dom/sgml/scanner.c
View File

@ -458,7 +458,8 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
real_length = 0;
} else if (string == scanner->end) {
/* It is incomplete. */
/* It is incomplete so prevent out of bound acess to
* the scanned string. */
} else if (is_sgml_ident(*string)) {
token->string.string = string;
@ -467,7 +468,7 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
real_length = string - token->string.string;
skip_sgml_space(scanner, &string);
if (*string == '>') {
if (string < scanner->end && *string == '>') {
type = SGML_TOKEN_ELEMENT;
string++;
@ -570,7 +571,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
string++;
skip_sgml_space(scanner, &string);
if (is_sgml_ident(*string)) {
if (string == scanner->end) {
/* Prevent out of bound access. */
} else if (is_sgml_ident(*string)) {
token->string.string = string;
scan_sgml(scanner, string, SGML_CHAR_IDENT);
real_length = string - token->string.string;
@ -634,7 +638,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
* For stricter parsing we should always require attribute
* values to be quoted.
*/
if (*string == '>') {
if (string == scanner->end) {
/* Prevent out of bound access. */
} else if (*string == '>') {
string++;
real_length = 0;
type = SGML_TOKEN_ELEMENT_EMPTY_END;
@ -671,7 +678,8 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
/* Force an incomplete token. */
string = scanner->end;
} else if (is_sgml_attribute(*string)) {
} else if (string < scanner->end
&& is_sgml_attribute(*string)) {
token->string.string++;
scan_sgml_attribute(scanner, string);
type = SGML_TOKEN_ATTRIBUTE;
@ -683,7 +691,8 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
type = SGML_TOKEN_IDENT;
}
if (is_sgml_attribute(*string)) {
if (string < scanner->end
&& is_sgml_attribute(*string)) {
scan_sgml_attribute(scanner, string);
type = SGML_TOKEN_ATTRIBUTE;
if (string[-1] == '/' && string[0] == '>') {