--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/tidy/patches/fix-heap-overflow.patch Thu Jun 11 04:46:39 2015 -0700
@@ -0,0 +1,39 @@
+Fix tidy issue #217 - heap-buffer-overflow
+https://github.com/htacg/tidy-html5/issues/217
+
+See also:
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1228297
+
+with git commit at:
+
+https://github.com/htacg/tidy-html5/commit/c18f27a58792f7fbd0b30a0ff50d6b40a82f940d
+
+(Note that this is for tidy5. This patch is for the previous version of tidy
+so is not quite identical.)
+
+CVE request: http://seclists.org/oss-sec/2015/q2/633
+
+--- tidy-1.0.0/src/lexer.c.orig 2015-06-10 12:55:05.134948374 -0700
++++ tidy-1.0.0/src/lexer.c 2015-06-10 12:54:58.445166530 -0700
+@@ -3465,16 +3465,17 @@
+ /* and prompts attributes unless --literal-attributes is set to yes */
+ /* #994841 - Whitespace is removed from value attributes */
+
+- if (munge &&
++ /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */
++ if ((len > 0) && munge &&
+ TY_(tmbstrcasecmp)(name, "alt") &&
+ TY_(tmbstrcasecmp)(name, "title") &&
+ TY_(tmbstrcasecmp)(name, "value") &&
+ TY_(tmbstrcasecmp)(name, "prompt"))
+ {
+- while (TY_(IsWhite)(lexer->lexbuf[start+len-1]))
++ while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0))
+ --len;
+
+- while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len)
++ while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0))
+ {
+ ++start;
+ --len;