1 Fix tidy issue #217 - heap-buffer-overflow

     2 https://github.com/htacg/tidy-html5/issues/217

     3 

     4 See also:

     5 

     6 https://bugzilla.redhat.com/show_bug.cgi?id=1228297

     7 

     8 with git commit at:

     9 

    10 https://github.com/htacg/tidy-html5/commit/c18f27a58792f7fbd0b30a0ff50d6b40a82f940d

    11 

    12 (Note that this is for tidy5. This patch is for the previous version of tidy

    13 so is not quite identical.)

    14 

    15 CVE request: http://seclists.org/oss-sec/2015/q2/633

    16 

    17 --- tidy-1.0.0/src/lexer.c.orig	2015-06-10 12:55:05.134948374 -0700

    18 +++ tidy-1.0.0/src/lexer.c	2015-06-10 12:54:58.445166530 -0700

    19 @@ -3465,16 +3465,17 @@

    20          /* and prompts attributes unless --literal-attributes is set to yes      */

    21          /* #994841 - Whitespace is removed from value attributes                 */

    22  

    23 -        if (munge &&

    24 +        /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */

    25 +        if ((len > 0) && munge &&

    26              TY_(tmbstrcasecmp)(name, "alt") &&

    27              TY_(tmbstrcasecmp)(name, "title") &&

    28              TY_(tmbstrcasecmp)(name, "value") &&

    29              TY_(tmbstrcasecmp)(name, "prompt"))

    30          {

    31 -            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]))

    32 +            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0))

    33                  --len;

    34  

    35 -            while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len)

    36 +            while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0))

    37              {

    38                  ++start;

    39                  --len;