summaryrefslogtreecommitdiffabout
authorEric Wong <normalperson@yhbt.net>2011-07-21 03:24:54 (UTC)
committer Lars Hjemli <hjemli@gmail.com>2011-07-21 14:21:52 (UTC)
commit9cae75d040d9102d4b628ba3c828d95d0251f5c0 (patch) (unidiff)
tree90dd85a1ebcb0c8731bb02823b9d3707e873945d
parent877ff681007f31c69777e9569c4de819d4af19c9 (diff)
downloadcgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.zip
cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.gz
cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.bz2
html.c: avoid out-of-bounds access for url_escape_table
This fixes a segfault for me with with -O2 optimization on x86 with gcc (Debian 4.4.5-8) 4.4.5 I can reliably reproduce it with the following parameters when pointed to the git.git repository: PATH_INFO='/git-core.git/diff/' QUERY_STRING='id=2b93bfac0f5bcabbf60f174f4e7bfa9e318e64d5&id2=d6da71a9d16b8cf27f9d8f90692d3625c849cbc8' Signed-off-by: Eric Wong <normalperson@yhbt.net> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--html.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/html.c b/html.c
index 24a03a5..5b07aa0 100644
--- a/html.c
+++ b/html.c
@@ -141,66 +141,66 @@ void html_attr(const char *txt)
141 if (c=='<' || c=='>' || c=='\'' || c=='\"' || c=='&') { 141 if (c=='<' || c=='>' || c=='\'' || c=='\"' || c=='&') {
142 html_raw(txt, t - txt); 142 html_raw(txt, t - txt);
143 if (c=='>') 143 if (c=='>')
144 html("&gt;"); 144 html("&gt;");
145 else if (c=='<') 145 else if (c=='<')
146 html("&lt;"); 146 html("&lt;");
147 else if (c=='\'') 147 else if (c=='\'')
148 html("&#x27;"); 148 html("&#x27;");
149 else if (c=='"') 149 else if (c=='"')
150 html("&quot;"); 150 html("&quot;");
151 else if (c=='&') 151 else if (c=='&')
152 html("&amp;"); 152 html("&amp;");
153 txt = t+1; 153 txt = t+1;
154 } 154 }
155 t++; 155 t++;
156 } 156 }
157 if (t!=txt) 157 if (t!=txt)
158 html(txt); 158 html(txt);
159} 159}
160 160
161void html_url_path(const char *txt) 161void html_url_path(const char *txt)
162{ 162{
163 const char *t = txt; 163 const char *t = txt;
164 while(t && *t){ 164 while(t && *t){
165 int c = *t; 165 unsigned char c = *t;
166 const char *e = url_escape_table[c]; 166 const char *e = url_escape_table[c];
167 if (e && c!='+' && c!='&') { 167 if (e && c!='+' && c!='&') {
168 html_raw(txt, t - txt); 168 html_raw(txt, t - txt);
169 html(e); 169 html(e);
170 txt = t+1; 170 txt = t+1;
171 } 171 }
172 t++; 172 t++;
173 } 173 }
174 if (t!=txt) 174 if (t!=txt)
175 html(txt); 175 html(txt);
176} 176}
177 177
178void html_url_arg(const char *txt) 178void html_url_arg(const char *txt)
179{ 179{
180 const char *t = txt; 180 const char *t = txt;
181 while(t && *t){ 181 while(t && *t){
182 int c = *t; 182 unsigned char c = *t;
183 const char *e = url_escape_table[c]; 183 const char *e = url_escape_table[c];
184 if (c == ' ') 184 if (c == ' ')
185 e = "+"; 185 e = "+";
186 if (e) { 186 if (e) {
187 html_raw(txt, t - txt); 187 html_raw(txt, t - txt);
188 html(e); 188 html(e);
189 txt = t+1; 189 txt = t+1;
190 } 190 }
191 t++; 191 t++;
192 } 192 }
193 if (t!=txt) 193 if (t!=txt)
194 html(txt); 194 html(txt);
195} 195}
196 196
197void html_hidden(const char *name, const char *value) 197void html_hidden(const char *name, const char *value)
198{ 198{
199 html("<input type='hidden' name='"); 199 html("<input type='hidden' name='");
200 html_attr(name); 200 html_attr(name);
201 html("' value='"); 201 html("' value='");
202 html_attr(value); 202 html_attr(value);
203 html("'/>"); 203 html("'/>");
204} 204}
205 205
206void html_option(const char *value, const char *text, const char *selected_value) 206void html_option(const char *value, const char *text, const char *selected_value)