summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Mark Bell <jmb@netsurf-browser.org>2008-08-18 17:26:14 +0000
committerJohn Mark Bell <jmb@netsurf-browser.org>2008-08-18 17:26:14 +0000
commitf39a846715f4c6e9a12ba9a7d3085da59cef1332 (patch)
tree67e40f17aeb2adfa3729cbf81b0a3c066c1f54fc
parenta000310dd4fd0d6f8e4fd0f40529e5e8b2318f9e (diff)
downloadlibhubbub-f39a846715f4c6e9a12ba9a7d3085da59cef1332.tar.gz
libhubbub-f39a846715f4c6e9a12ba9a7d3085da59cef1332.tar.bz2
Fix segfault caused by trampling the length of the current character when testing whether the 4 most recently read characters in the data state are <!--.
Add a couple of assertions for paranoia. svn path=/trunk/hubbub/; revision=5146
-rw-r--r--src/tokeniser/tokeniser.c10
-rw-r--r--test/data/html/INDEX2
2 files changed, 9 insertions, 3 deletions
diff --git a/src/tokeniser/tokeniser.c b/src/tokeniser/tokeniser.c
index ece2e20..43b4823 100644
--- a/src/tokeniser/tokeniser.c
+++ b/src/tokeniser/tokeniser.c
@@ -622,11 +622,14 @@ hubbub_error hubbub_tokeniser_handle_data(hubbub_tokeniser *tokeniser)
tokeniser->content_model ==
HUBBUB_CONTENT_MODEL_CDATA) &&
tokeniser->context.pending >= 3) {
-
+ size_t ignore;
cptr = parserutils_inputstream_peek(
tokeniser->input,
tokeniser->context.pending - 3,
- &len);
+ &ignore);
+
+ assert(cptr != PARSERUTILS_INPUTSTREAM_OOD &&
+ cptr != PARSERUTILS_INPUTSTREAM_EOF);
if (strncmp((char *)cptr,
"<!--", SLEN("<!--")) == 0) {
@@ -664,6 +667,9 @@ hubbub_error hubbub_tokeniser_handle_data(hubbub_tokeniser *tokeniser)
tokeniser->context.pending - 2,
&len);
+ assert(cptr != PARSERUTILS_INPUTSTREAM_OOD &&
+ cptr != PARSERUTILS_INPUTSTREAM_EOF);
+
if (strncmp((char *)cptr, "-->", SLEN("-->")) == 0) {
tokeniser->escape_flag = false;
}
diff --git a/test/data/html/INDEX b/test/data/html/INDEX
index f09f371..ae94390 100644
--- a/test/data/html/INDEX
+++ b/test/data/html/INDEX
@@ -18,5 +18,5 @@ www.fhis.ubc.ca.html Segfault page (fixed in r5104).
ccr.coriell.org.html Segfault page (fixed in r5106).
wbh.co.uk.html Segfault in treebuilder (fixed in r5125).
www.directline.com.html Segfault in current_node()
-www.hanazonohifuku.com.html Abort in token emitter
+www.hanazonohifuku.com.html Abort in token emitter (fixed in r5146).