| author | Eric Wong <normalperson@yhbt.net> | 2011-07-21 03:24:54 (UTC) |
|---|---|---|
| committer | Lars Hjemli <hjemli@gmail.com> | 2011-07-21 14:21:52 (UTC) |
| commit | 9cae75d040d9102d4b628ba3c828d95d0251f5c0 (patch) (side-by-side diff) | |
| tree | 90dd85a1ebcb0c8731bb02823b9d3707e873945d | |
| parent | 877ff681007f31c69777e9569c4de819d4af19c9 (diff) | |
| download | cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.zip cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.gz cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.bz2 | |
html.c: avoid out-of-bounds access for url_escape_table
This fixes a segfault for me with with -O2 optimization on x86
with gcc (Debian 4.4.5-8) 4.4.5
I can reliably reproduce it with the following parameters
when pointed to the git.git repository:
PATH_INFO='/git-core.git/diff/'
QUERY_STRING='id=2b93bfac0f5bcabbf60f174f4e7bfa9e318e64d5&id2=d6da71a9d16b8cf27f9d8f90692d3625c849cbc8'
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
| -rw-r--r-- | html.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -117,114 +117,114 @@ void html_ntxt(int len, const char *txt) int c = *t; if (c=='<' || c=='>' || c=='&') { html_raw(txt, t - txt); if (c=='>') html(">"); else if (c=='<') html("<"); else if (c=='&') html("&"); txt = t+1; } t++; } if (t!=txt) html_raw(txt, t - txt); if (len<0) html("..."); } void html_attr(const char *txt) { const char *t = txt; while(t && *t){ int c = *t; if (c=='<' || c=='>' || c=='\'' || c=='\"' || c=='&') { html_raw(txt, t - txt); if (c=='>') html(">"); else if (c=='<') html("<"); else if (c=='\'') html("'"); else if (c=='"') html("""); else if (c=='&') html("&"); txt = t+1; } t++; } if (t!=txt) html(txt); } void html_url_path(const char *txt) { const char *t = txt; while(t && *t){ - int c = *t; + unsigned char c = *t; const char *e = url_escape_table[c]; if (e && c!='+' && c!='&') { html_raw(txt, t - txt); html(e); txt = t+1; } t++; } if (t!=txt) html(txt); } void html_url_arg(const char *txt) { const char *t = txt; while(t && *t){ - int c = *t; + unsigned char c = *t; const char *e = url_escape_table[c]; if (c == ' ') e = "+"; if (e) { html_raw(txt, t - txt); html(e); txt = t+1; } t++; } if (t!=txt) html(txt); } void html_hidden(const char *name, const char *value) { html("<input type='hidden' name='"); html_attr(name); html("' value='"); html_attr(value); html("'/>"); } void html_option(const char *value, const char *text, const char *selected_value) { html("<option value='"); html_attr(value); html("'"); if (selected_value && !strcmp(selected_value, value)) html(" selected='selected'"); html(">"); html_txt(text); html("</option>\n"); } void html_link_open(const char *url, const char *title, const char *class) { html("<a href='"); html_attr(url); if (title) { html("' title='"); html_attr(title); } if (class) { html("' class='"); html_attr(class); } html("'>"); |