From a1936321874de95265d38bcbdcaaa4a103cac24e Mon Sep 17 00:00:00 2001 From: Kalle Olavi Niemitalo Date: Sun, 10 Dec 2006 14:14:16 +0200 Subject: [PATCH] Make html_context.quote_level unsigned. Continuation of 7e9fc6f33b33e076d16a1b02ab011df92e2641a8. --- src/document/html/internal.h | 3 ++- src/document/html/parser/general.c | 8 ++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/document/html/internal.h b/src/document/html/internal.h index a28aeb93..89a56df1 100644 --- a/src/document/html/internal.h +++ b/src/document/html/internal.h @@ -66,7 +66,8 @@ struct html_context { * state-machine. */ int was_li; - int quote_level; /* Nesting level of tags. */ + unsigned int quote_level; /* Nesting level of tags. See @html_quote + * for why this is unsigned. */ unsigned int was_br:1; unsigned int was_xmp:1; diff --git a/src/document/html/parser/general.c b/src/document/html/parser/general.c index 1184bf2b..33fe08c0 100644 --- a/src/document/html/parser/general.c +++ b/src/document/html/parser/general.c @@ -104,6 +104,14 @@ void html_quote(struct html_context *html_context, unsigned char *a, unsigned char *xxx3, unsigned char *xxx4, unsigned char **xxx5) { + /* An HTML document containing extremely many repetitions of + * "" could cause @html_context->quote_level to overflow. + * Because it is unsigned, it then wraps around to zero, and + * we don't get a negative array index here. If the document + * then tries to close the quotes with "", @html_quote_close + * won't let the quote level wrap back, so it will render the + * quotes incorrectly, but such a document probably doesn't + * make sense anyway. */ unsigned char *q = quote_char[html_context->quote_level++ % 2]; put_chrs(html_context, q, 1);