mirror of
https://github.com/rkd77/elinks.git
synced 2024-10-28 08:07:17 -04:00
Fix out of bound access to the scanned string
This commit is contained in:
parent
e5ba160c77
commit
b69e0d4eb2
@ -294,7 +294,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
|
|||||||
if (first_char == '<') {
|
if (first_char == '<') {
|
||||||
skip_sgml_space(scanner, &string);
|
skip_sgml_space(scanner, &string);
|
||||||
|
|
||||||
if (scanner->state == SGML_STATE_ELEMENT) {
|
if (string == scanner->end) {
|
||||||
|
/* Prevent out of bound access. */
|
||||||
|
|
||||||
|
} else if (scanner->state == SGML_STATE_ELEMENT) {
|
||||||
/* Already inside an element so insert a tag end token
|
/* Already inside an element so insert a tag end token
|
||||||
* and continue scanning in next iteration. */
|
* and continue scanning in next iteration. */
|
||||||
string--;
|
string--;
|
||||||
@ -309,7 +312,7 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
|
|||||||
real_length = string - token->string.string;
|
real_length = string - token->string.string;
|
||||||
|
|
||||||
skip_sgml_space(scanner, &string);
|
skip_sgml_space(scanner, &string);
|
||||||
if (*string == '>') {
|
if (string < scanner->end && *string == '>') {
|
||||||
type = SGML_TOKEN_ELEMENT;
|
type = SGML_TOKEN_ELEMENT;
|
||||||
string++;
|
string++;
|
||||||
} else {
|
} else {
|
||||||
@ -365,7 +368,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
|
|||||||
string++;
|
string++;
|
||||||
skip_sgml_space(scanner, &string);
|
skip_sgml_space(scanner, &string);
|
||||||
|
|
||||||
if (is_sgml_ident(*string)) {
|
if (string == scanner->end) {
|
||||||
|
/* Prevent out of bound access. */
|
||||||
|
|
||||||
|
} else if (is_sgml_ident(*string)) {
|
||||||
token->string.string = string;
|
token->string.string = string;
|
||||||
scan_sgml(scanner, string, SGML_CHAR_IDENT);
|
scan_sgml(scanner, string, SGML_CHAR_IDENT);
|
||||||
real_length = string - token->string.string;
|
real_length = string - token->string.string;
|
||||||
@ -400,7 +406,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
|
|||||||
scanner->state = SGML_STATE_TEXT;
|
scanner->state = SGML_STATE_TEXT;
|
||||||
|
|
||||||
} else if (first_char == '/') {
|
} else if (first_char == '/') {
|
||||||
if (*string == '>') {
|
if (string == scanner->end) {
|
||||||
|
/* Prevent out of bound access. */
|
||||||
|
|
||||||
|
} else if (*string == '>') {
|
||||||
string++;
|
string++;
|
||||||
real_length = 0;
|
real_length = 0;
|
||||||
type = SGML_TOKEN_ELEMENT_EMPTY_END;
|
type = SGML_TOKEN_ELEMENT_EMPTY_END;
|
||||||
@ -422,7 +431,10 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
|
|||||||
real_length = string_end - token->string.string;
|
real_length = string_end - token->string.string;
|
||||||
string = string_end + 1;
|
string = string_end + 1;
|
||||||
type = SGML_TOKEN_STRING;
|
type = SGML_TOKEN_STRING;
|
||||||
} else if (is_sgml_attribute(*string)) {
|
|
||||||
|
} else if (string < scanner->end
|
||||||
|
&& is_sgml_attribute(*string)) {
|
||||||
|
|
||||||
token->string.string++;
|
token->string.string++;
|
||||||
scan_sgml_attribute(scanner, string);
|
scan_sgml_attribute(scanner, string);
|
||||||
type = SGML_TOKEN_ATTRIBUTE;
|
type = SGML_TOKEN_ATTRIBUTE;
|
||||||
@ -434,7 +446,8 @@ scan_sgml_element_token(struct dom_scanner *scanner, struct dom_scanner_token *t
|
|||||||
type = SGML_TOKEN_IDENT;
|
type = SGML_TOKEN_IDENT;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (is_sgml_attribute(*string)) {
|
if (string < scanner->end
|
||||||
|
&& is_sgml_attribute(*string)) {
|
||||||
scan_sgml_attribute(scanner, string);
|
scan_sgml_attribute(scanner, string);
|
||||||
type = SGML_TOKEN_ATTRIBUTE;
|
type = SGML_TOKEN_ATTRIBUTE;
|
||||||
if (string[-1] == '/' && string[0] == '>')
|
if (string[-1] == '/' && string[0] == '>')
|
||||||
|
Loading…
Reference in New Issue
Block a user