[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #52433] Commit [09040dbf] is wrong: bad bounds check in pre-html.cp
From: |
G. Branden Robinson |
Subject: |
[bug #52433] Commit [09040dbf] is wrong: bad bounds check in pre-html.cpp |
Date: |
Mon, 5 Nov 2018 03:35:11 -0500 (EST) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 |
Update of bug #52433 (project groff):
Category: None => Preprocessor html
Item Group: None => Incorrect behaviour
Status: None => Need Info
Summary: Commit [09040dbf] is wrong => Commit [09040dbf] is
wrong: bad bounds check in pre-html.cpp
_______________________________________________________
Follow-up Comment #1:
Any one got ideas about this? I'm afraid I don't understand the code well
enough to craft an exploit for it, but our anonymous submitter has a
suggestion.
Here's the commit to which he refers.
commit 09040dbf908c2563e0d918a1dca7bb564226a0f8
Author: Bálint Réczey <address@hidden>
Date: Tue Feb 16 00:16:28 2016 +0100
[pre-grohtml] Fix out-of-bounds array access (#47161).
* src/preproc/html/pre-html.cpp (char_buffer::write_upto_newline):
Implement it.
diff --git a/ChangeLog b/ChangeLog
index b3cdf1d7..b264974d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-02-15 Bálint Réczey <address@hidden>
+
+ [pre-grohtml] Fix out-of-bounds array access (#47161).
+
+ * src/preproc/html/pre-html.cpp (char_buffer::write_upto_newline):
+ Implement it.
+
2016-02-15 Bálint Réczey <address@hidden>
Don't use `memcpy' with NULL input or output argument (#47160).
diff --git a/src/preproc/html/pre-html.cpp b/src/preproc/html/pre-html.cpp
index 978721a1..8698149a 100644
--- a/src/preproc/html/pre-html.cpp
+++ b/src/preproc/html/pre-html.cpp
@@ -661,7 +661,7 @@ void char_buffer::write_upto_newline(char_block **t, int
*i, int is_html)
&& (*t)->buffer[j] == '\n')
j++;
writeNbytes((*t)->buffer + (*i), j - (*i));
- if ((*t)->buffer[j] == INLINE_LEADER_CHAR) {
+ if (j < char_block::SIZE && (*t)->buffer[j] == INLINE_LEADER_CHAR) {
if (can_see(t, &j, HTML_IMAGE_INLINE_BEGIN))
write_start_image(INLINE, is_html);
else if (can_see(t, &j, HTML_IMAGE_INLINE_END))
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?52433>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug #52433] Commit [09040dbf] is wrong: bad bounds check in pre-html.cpp,
G. Branden Robinson <=