equal
deleted
inserted
replaced
1 This patch copied/pasted from this link: |
|
2 http://git.gnome.org/browse/libxml2/patch/?id=d8e1faeaa99c7a7c07af01c1c72de352eb590a3e |
|
3 ---------------------------------------------------------------------- |
|
4 From d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Mon Sep 17 00:00:00 2001 |
|
5 From: Jüri Aedla <[email protected]> |
|
6 Date: Mon, 07 May 2012 07:06:56 +0000 |
|
7 Subject: Fix an off by one pointer access |
|
8 |
|
9 getting out of the range of memory allocated for xpointer decoding |
|
10 --- |
|
11 diff --git a/xpointer.c b/xpointer.c |
|
12 index 37afa3a..0b463dd 100644 |
|
13 --- a/xpointer.c |
|
14 +++ b/xpointer.c |
|
15 @@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) { |
|
16 NEXT; |
|
17 break; |
|
18 } |
|
19 - *cur++ = CUR; |
|
20 } else if (CUR == '(') { |
|
21 level++; |
|
22 - *cur++ = CUR; |
|
23 } else if (CUR == '^') { |
|
24 - NEXT; |
|
25 - if ((CUR == ')') || (CUR == '(') || (CUR == '^')) { |
|
26 - *cur++ = CUR; |
|
27 - } else { |
|
28 - *cur++ = '^'; |
|
29 - *cur++ = CUR; |
|
30 - } |
|
31 - } else { |
|
32 - *cur++ = CUR; |
|
33 + if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) { |
|
34 + NEXT; |
|
35 + } |
|
36 } |
|
37 + *cur++ = CUR; |
|
38 NEXT; |
|
39 } |
|
40 *cur = 0; |
|
41 -- |
|
42 cgit v0.9.0.2 |
|