equal
deleted
inserted
replaced
1 Fix tidy issue #217 - heap-buffer-overflow |
|
2 https://github.com/htacg/tidy-html5/issues/217 |
|
3 |
|
4 See also: |
|
5 |
|
6 https://bugzilla.redhat.com/show_bug.cgi?id=1228297 |
|
7 |
|
8 with git commit at: |
|
9 |
|
10 https://github.com/htacg/tidy-html5/commit/c18f27a58792f7fbd0b30a0ff50d6b40a82f940d |
|
11 |
|
12 (Note that this is for tidy5. This patch is for the previous version of tidy |
|
13 so is not quite identical.) |
|
14 |
|
15 CVE request: http://seclists.org/oss-sec/2015/q2/633 |
|
16 |
|
17 --- tidy-1.0.0/src/lexer.c.orig 2015-06-10 12:55:05.134948374 -0700 |
|
18 +++ tidy-1.0.0/src/lexer.c 2015-06-10 12:54:58.445166530 -0700 |
|
19 @@ -3465,16 +3465,17 @@ |
|
20 /* and prompts attributes unless --literal-attributes is set to yes */ |
|
21 /* #994841 - Whitespace is removed from value attributes */ |
|
22 |
|
23 - if (munge && |
|
24 + /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */ |
|
25 + if ((len > 0) && munge && |
|
26 TY_(tmbstrcasecmp)(name, "alt") && |
|
27 TY_(tmbstrcasecmp)(name, "title") && |
|
28 TY_(tmbstrcasecmp)(name, "value") && |
|
29 TY_(tmbstrcasecmp)(name, "prompt")) |
|
30 { |
|
31 - while (TY_(IsWhite)(lexer->lexbuf[start+len-1])) |
|
32 + while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0)) |
|
33 --len; |
|
34 |
|
35 - while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len) |
|
36 + while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0)) |
|
37 { |
|
38 ++start; |
|
39 --len; |
|