author | Eric Wong <normalperson@yhbt.net> | 2011-07-21 03:24:54 (UTC) |
---|---|---|
committer | Lars Hjemli <hjemli@gmail.com> | 2011-07-21 14:21:52 (UTC) |
commit | 9cae75d040d9102d4b628ba3c828d95d0251f5c0 (patch) (unidiff) | |
tree | 90dd85a1ebcb0c8731bb02823b9d3707e873945d | |
parent | 877ff681007f31c69777e9569c4de819d4af19c9 (diff) | |
download | cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.zip cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.gz cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.bz2 |
html.c: avoid out-of-bounds access for url_escape_table
This fixes a segfault for me with with -O2 optimization on x86
with gcc (Debian 4.4.5-8) 4.4.5
I can reliably reproduce it with the following parameters
when pointed to the git.git repository:
PATH_INFO='/git-core.git/diff/'
QUERY_STRING='id=2b93bfac0f5bcabbf60f174f4e7bfa9e318e64d5&id2=d6da71a9d16b8cf27f9d8f90692d3625c849cbc8'
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
-rw-r--r-- | html.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -162,7 +162,7 @@ void html_url_path(const char *txt) | |||
162 | { | 162 | { |
163 | const char *t = txt; | 163 | const char *t = txt; |
164 | while(t && *t){ | 164 | while(t && *t){ |
165 | int c = *t; | 165 | unsigned char c = *t; |
166 | const char *e = url_escape_table[c]; | 166 | const char *e = url_escape_table[c]; |
167 | if (e && c!='+' && c!='&') { | 167 | if (e && c!='+' && c!='&') { |
168 | html_raw(txt, t - txt); | 168 | html_raw(txt, t - txt); |
@@ -179,7 +179,7 @@ void html_url_arg(const char *txt) | |||
179 | { | 179 | { |
180 | const char *t = txt; | 180 | const char *t = txt; |
181 | while(t && *t){ | 181 | while(t && *t){ |
182 | int c = *t; | 182 | unsigned char c = *t; |
183 | const char *e = url_escape_table[c]; | 183 | const char *e = url_escape_table[c]; |
184 | if (c == ' ') | 184 | if (c == ' ') |
185 | e = "+"; | 185 | e = "+"; |