mirror of
https://github.com/rkd77/elinks.git
synced 2024-09-30 03:26:23 -04:00
a2404407ce
look_for_link() used to return 0 both when it found the closing </MAP> tag, and when it hit the end of the file. In the first case, it also added *menu to the memory_list; in the second case, it did not. The caller get_image_map() supposedly distinguished between these cases by checking whether pos >= eof, and freed *menu separately if so. However, if the </MAP> was at the very end of the HTML file, so that not even a newline followed it, then look_for_link() left pos == eof even though it had found the </MAP> and added *menu to the memory_list. This made get_image_map() misinterpret the result and mem_free(*menu) even though *menu had already been freed as part of the memory_list; thus the crash. To fix this, make look_for_link() return -1 instead of 0 if it hits EOF without finding the </MAP>. Then make get_image_map() check the return value instead of comparing pos to eof. And add a test case, although not an automated one. Alternatively, look_for_link() could have been changed to decrement pos between finding the </MAP> and returning 0. Then, the pos >= eof comparison in get_image_map() would have been false. That scheme would however have been a bit more difficult to understand and maintain, I think. Reported by Paul B. Mahol.
5 lines
242 B
HTML
5 lines
242 B
HTML
<TITLE>Double-free crash in USEMAP</TITLE>
|
|
<P><IMG src="/dev/null" usemap="#crasher"></P>
|
|
<MAP name="crasher">
|
|
<AREA shape="rect" coords="42,42,69,69" href="http://elinks.cz/" alt="see this?">
|
|
<!-- no newline at the end of this line --></MAP> |