aniani/elinks
1
0
Fork 0
mirror of https://github.com/rkd77/elinks.git synced 2024-12-04 14:46:47 -05:00
Code

Fix out of bound access to the scanned string

Browse Source
This commit is contained in:
Jonas Fonseca 2006-01-29 11:54:35 +01:00 committed by Jonas Fonseca
parent e5ba160c77
commit b69e0d4eb2
1 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/dom/sgml/scanner.c
View File

@ -294,7 +294,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
if (first_char == '<') {
skip_sgml_space(scanner, &string);
if (scanner->state == SGML_STATE_ELEMENT) {
if (string == scanner->end) {
/* Prevent out of bound access. */
} else if (scanner->state == SGML_STATE_ELEMENT) {
/* Already inside an element so insert a tag end token
* and continue scanning in next iteration. */
string--;
@ -309,7 +312,7 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
real_length = string - token->string.string;
skip_sgml_space(scanner, &string);
if (*string == '>') {
if (string < scanner->end && *string == '>') {
type = SGML_TOKEN_ELEMENT;
string++;
} else {
@ -365,7 +368,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
string++;
skip_sgml_space(scanner, &string);
if (is_sgml_ident(*string)) {
if (string == scanner->end) {
/* Prevent out of bound access. */
} else if (is_sgml_ident(*string)) {
token->string.string = string;
scan_sgml(scanner, string, SGML_CHAR_IDENT);
real_length = string - token->string.string;
@ -400,7 +406,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
scanner->state = SGML_STATE_TEXT;
} else if (first_char == '/') {
if (*string == '>') {
if (string == scanner->end) {
/* Prevent out of bound access. */
} else if (*string == '>') {
string++;
real_length = 0;
type = SGML_TOKEN_ELEMENT_EMPTY_END;
@ -422,7 +431,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
real_length = string_end - token->string.string;
string = string_end + 1;
type = SGML_TOKEN_STRING;
} else if (is_sgml_attribute(*string)) {
} else if (string < scanner->end
&& is_sgml_attribute(*string)) {
token->string.string++;
scan_sgml_attribute(scanner, string);
type = SGML_TOKEN_ATTRIBUTE;
@ -434,7 +446,8 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
type = SGML_TOKEN_IDENT;
}
if (is_sgml_attribute(*string)) {
if (string < scanner->end
&& is_sgml_attribute(*string)) {
scan_sgml_attribute(scanner, string);
type = SGML_TOKEN_ATTRIBUTE;
if (string[-1] == '/' && string[0] == '>')