upstream/oracle/userland-gate: changeset 4467:775a857a1e2a

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/tidy/patches/fix-heap-overflow.patch	Thu Jun 11 04:46:39 2015 -0700
@@ -0,0 +1,39 @@
+Fix tidy issue #217 - heap-buffer-overflow
+https://github.com/htacg/tidy-html5/issues/217
+
+See also:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1228297
+
+with git commit at:
+
+https://github.com/htacg/tidy-html5/commit/c18f27a58792f7fbd0b30a0ff50d6b40a82f940d
+
+(Note that this is for tidy5. This patch is for the previous version of tidy
+so is not quite identical.)
+
+CVE request: http://seclists.org/oss-sec/2015/q2/633
+
+--- tidy-1.0.0/src/lexer.c.orig	2015-06-10 12:55:05.134948374 -0700
++++ tidy-1.0.0/src/lexer.c	2015-06-10 12:54:58.445166530 -0700
+@@ -3465,16 +3465,17 @@
+         /* and prompts attributes unless --literal-attributes is set to yes      */
+         /* #994841 - Whitespace is removed from value attributes                 */
+ 
+-        if (munge &&
++        /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */
++        if ((len > 0) && munge &&
+             TY_(tmbstrcasecmp)(name, "alt") &&
+             TY_(tmbstrcasecmp)(name, "title") &&
+             TY_(tmbstrcasecmp)(name, "value") &&
+             TY_(tmbstrcasecmp)(name, "prompt"))
+         {
+-            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]))
++            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0))
+                 --len;
+ 
+-            while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len)
++            while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0))
+             {
+                 ++start;
+                 --len;

author	Rich Burridge <rich.burridge@oracle.com>
	Thu, 11 Jun 2015 04:46:39 -0700
changeset 4467	775a857a1e2a
parent 4463	0f8d88e8430f
child 4468	2f1bf786d396