Attachment 412860 Details for Bug 561452 – patch issued by tidy-html5 fork

[patch] patch issued by tidy-html5 fork

11CVE-2015-5522.patch (text/plain), 1.35 KB, created by Sylvia on 2015-09-25 11:46:12 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sylvia

Created: 2015-09-25 11:46:12 UTC

Size: 1.35 KB

patch

obsolete

>From c18f27a58792f7fbd0b30a0ff50d6b40a82f940d Mon Sep 17 00:00:00 2001
>From: Geoff McLane <ubuntu@geoffair.info>
>Date: Wed, 3 Jun 2015 20:26:03 +0200
>Subject: [PATCH] Issue #217 - avoid len going negative, ever...
>
>---
> src/lexer.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
>diff --git a/src/lexer.c b/src/lexer.c
>index 376a3d8..664f806 100644
>--- a/src/lexer.c
>+++ b/src/lexer.c
>@@ -3739,16 +3740,17 @@ static tmbstr ParseValue( TidyDocImpl* doc, ctmbstr name,
>         /* and prompts attributes unless --literal-attributes is set to yes      */
>         /* #994841 - Whitespace is removed from value attributes                 */
> 
>-        if (munge &&
>+        /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */
>+        if ((len > 0) && munge &&
>             TY_(tmbstrcasecmp)(name, "alt") &&
>             TY_(tmbstrcasecmp)(name, "title") &&
>             TY_(tmbstrcasecmp)(name, "value") &&
>             TY_(tmbstrcasecmp)(name, "prompt"))
>         {
>-            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]))
>+            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0))
>                 --len;
> 
>-            while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len)
>+            while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0))
>             {
>                 ++start;
>                 --len;

Actions: View | Diff

Attachments on bug 561452: 412860 | 438954