| author | Eric Wong <normalperson@yhbt.net> | 2011-07-21 03:24:54 (UTC) |
|---|---|---|
| committer | Lars Hjemli <hjemli@gmail.com> | 2011-07-21 14:21:52 (UTC) |
| commit | 9cae75d040d9102d4b628ba3c828d95d0251f5c0 (patch) (unidiff) | |
| tree | 90dd85a1ebcb0c8731bb02823b9d3707e873945d | |
| parent | 877ff681007f31c69777e9569c4de819d4af19c9 (diff) | |
| download | cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.zip cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.gz cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.bz2 | |
html.c: avoid out-of-bounds access for url_escape_table
This fixes a segfault for me with with -O2 optimization on x86
with gcc (Debian 4.4.5-8) 4.4.5
I can reliably reproduce it with the following parameters
when pointed to the git.git repository:
PATH_INFO='/git-core.git/diff/'
QUERY_STRING='id=2b93bfac0f5bcabbf60f174f4e7bfa9e318e64d5&id2=d6da71a9d16b8cf27f9d8f90692d3625c849cbc8'
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
| -rw-r--r-- | html.c | 4 |
1 files changed, 2 insertions, 2 deletions
| @@ -101,146 +101,146 @@ void html_txt(const char *txt) | |||
| 101 | else if (c=='<') | 101 | else if (c=='<') |
| 102 | html("<"); | 102 | html("<"); |
| 103 | else if (c=='&') | 103 | else if (c=='&') |
| 104 | html("&"); | 104 | html("&"); |
| 105 | txt = t+1; | 105 | txt = t+1; |
| 106 | } | 106 | } |
| 107 | t++; | 107 | t++; |
| 108 | } | 108 | } |
| 109 | if (t!=txt) | 109 | if (t!=txt) |
| 110 | html(txt); | 110 | html(txt); |
| 111 | } | 111 | } |
| 112 | 112 | ||
| 113 | void html_ntxt(int len, const char *txt) | 113 | void html_ntxt(int len, const char *txt) |
| 114 | { | 114 | { |
| 115 | const char *t = txt; | 115 | const char *t = txt; |
| 116 | while(t && *t && len--){ | 116 | while(t && *t && len--){ |
| 117 | int c = *t; | 117 | int c = *t; |
| 118 | if (c=='<' || c=='>' || c=='&') { | 118 | if (c=='<' || c=='>' || c=='&') { |
| 119 | html_raw(txt, t - txt); | 119 | html_raw(txt, t - txt); |
| 120 | if (c=='>') | 120 | if (c=='>') |
| 121 | html(">"); | 121 | html(">"); |
| 122 | else if (c=='<') | 122 | else if (c=='<') |
| 123 | html("<"); | 123 | html("<"); |
| 124 | else if (c=='&') | 124 | else if (c=='&') |
| 125 | html("&"); | 125 | html("&"); |
| 126 | txt = t+1; | 126 | txt = t+1; |
| 127 | } | 127 | } |
| 128 | t++; | 128 | t++; |
| 129 | } | 129 | } |
| 130 | if (t!=txt) | 130 | if (t!=txt) |
| 131 | html_raw(txt, t - txt); | 131 | html_raw(txt, t - txt); |
| 132 | if (len<0) | 132 | if (len<0) |
| 133 | html("..."); | 133 | html("..."); |
| 134 | } | 134 | } |
| 135 | 135 | ||
| 136 | void html_attr(const char *txt) | 136 | void html_attr(const char *txt) |
| 137 | { | 137 | { |
| 138 | const char *t = txt; | 138 | const char *t = txt; |
| 139 | while(t && *t){ | 139 | while(t && *t){ |
| 140 | int c = *t; | 140 | int c = *t; |
| 141 | if (c=='<' || c=='>' || c=='\'' || c=='\"' || c=='&') { | 141 | if (c=='<' || c=='>' || c=='\'' || c=='\"' || c=='&') { |
| 142 | html_raw(txt, t - txt); | 142 | html_raw(txt, t - txt); |
| 143 | if (c=='>') | 143 | if (c=='>') |
| 144 | html(">"); | 144 | html(">"); |
| 145 | else if (c=='<') | 145 | else if (c=='<') |
| 146 | html("<"); | 146 | html("<"); |
| 147 | else if (c=='\'') | 147 | else if (c=='\'') |
| 148 | html("'"); | 148 | html("'"); |
| 149 | else if (c=='"') | 149 | else if (c=='"') |
| 150 | html("""); | 150 | html("""); |
| 151 | else if (c=='&') | 151 | else if (c=='&') |
| 152 | html("&"); | 152 | html("&"); |
| 153 | txt = t+1; | 153 | txt = t+1; |
| 154 | } | 154 | } |
| 155 | t++; | 155 | t++; |
| 156 | } | 156 | } |
| 157 | if (t!=txt) | 157 | if (t!=txt) |
| 158 | html(txt); | 158 | html(txt); |
| 159 | } | 159 | } |
| 160 | 160 | ||
| 161 | void html_url_path(const char *txt) | 161 | void html_url_path(const char *txt) |
| 162 | { | 162 | { |
| 163 | const char *t = txt; | 163 | const char *t = txt; |
| 164 | while(t && *t){ | 164 | while(t && *t){ |
| 165 | int c = *t; | 165 | unsigned char c = *t; |
| 166 | const char *e = url_escape_table[c]; | 166 | const char *e = url_escape_table[c]; |
| 167 | if (e && c!='+' && c!='&') { | 167 | if (e && c!='+' && c!='&') { |
| 168 | html_raw(txt, t - txt); | 168 | html_raw(txt, t - txt); |
| 169 | html(e); | 169 | html(e); |
| 170 | txt = t+1; | 170 | txt = t+1; |
| 171 | } | 171 | } |
| 172 | t++; | 172 | t++; |
| 173 | } | 173 | } |
| 174 | if (t!=txt) | 174 | if (t!=txt) |
| 175 | html(txt); | 175 | html(txt); |
| 176 | } | 176 | } |
| 177 | 177 | ||
| 178 | void html_url_arg(const char *txt) | 178 | void html_url_arg(const char *txt) |
| 179 | { | 179 | { |
| 180 | const char *t = txt; | 180 | const char *t = txt; |
| 181 | while(t && *t){ | 181 | while(t && *t){ |
| 182 | int c = *t; | 182 | unsigned char c = *t; |
| 183 | const char *e = url_escape_table[c]; | 183 | const char *e = url_escape_table[c]; |
| 184 | if (c == ' ') | 184 | if (c == ' ') |
| 185 | e = "+"; | 185 | e = "+"; |
| 186 | if (e) { | 186 | if (e) { |
| 187 | html_raw(txt, t - txt); | 187 | html_raw(txt, t - txt); |
| 188 | html(e); | 188 | html(e); |
| 189 | txt = t+1; | 189 | txt = t+1; |
| 190 | } | 190 | } |
| 191 | t++; | 191 | t++; |
| 192 | } | 192 | } |
| 193 | if (t!=txt) | 193 | if (t!=txt) |
| 194 | html(txt); | 194 | html(txt); |
| 195 | } | 195 | } |
| 196 | 196 | ||
| 197 | void html_hidden(const char *name, const char *value) | 197 | void html_hidden(const char *name, const char *value) |
| 198 | { | 198 | { |
| 199 | html("<input type='hidden' name='"); | 199 | html("<input type='hidden' name='"); |
| 200 | html_attr(name); | 200 | html_attr(name); |
| 201 | html("' value='"); | 201 | html("' value='"); |
| 202 | html_attr(value); | 202 | html_attr(value); |
| 203 | html("'/>"); | 203 | html("'/>"); |
| 204 | } | 204 | } |
| 205 | 205 | ||
| 206 | void html_option(const char *value, const char *text, const char *selected_value) | 206 | void html_option(const char *value, const char *text, const char *selected_value) |
| 207 | { | 207 | { |
| 208 | html("<option value='"); | 208 | html("<option value='"); |
| 209 | html_attr(value); | 209 | html_attr(value); |
| 210 | html("'"); | 210 | html("'"); |
| 211 | if (selected_value && !strcmp(selected_value, value)) | 211 | if (selected_value && !strcmp(selected_value, value)) |
| 212 | html(" selected='selected'"); | 212 | html(" selected='selected'"); |
| 213 | html(">"); | 213 | html(">"); |
| 214 | html_txt(text); | 214 | html_txt(text); |
| 215 | html("</option>\n"); | 215 | html("</option>\n"); |
| 216 | } | 216 | } |
| 217 | 217 | ||
| 218 | void html_link_open(const char *url, const char *title, const char *class) | 218 | void html_link_open(const char *url, const char *title, const char *class) |
| 219 | { | 219 | { |
| 220 | html("<a href='"); | 220 | html("<a href='"); |
| 221 | html_attr(url); | 221 | html_attr(url); |
| 222 | if (title) { | 222 | if (title) { |
| 223 | html("' title='"); | 223 | html("' title='"); |
| 224 | html_attr(title); | 224 | html_attr(title); |
| 225 | } | 225 | } |
| 226 | if (class) { | 226 | if (class) { |
| 227 | html("' class='"); | 227 | html("' class='"); |
| 228 | html_attr(class); | 228 | html_attr(class); |
| 229 | } | 229 | } |
| 230 | html("'>"); | 230 | html("'>"); |
| 231 | } | 231 | } |
| 232 | 232 | ||
| 233 | void html_link_close(void) | 233 | void html_link_close(void) |
| 234 | { | 234 | { |
| 235 | html("</a>"); | 235 | html("</a>"); |
| 236 | } | 236 | } |
| 237 | 237 | ||
| 238 | void html_fileperm(unsigned short mode) | 238 | void html_fileperm(unsigned short mode) |
| 239 | { | 239 | { |
| 240 | htmlf("%c%c%c", (mode & 4 ? 'r' : '-'), | 240 | htmlf("%c%c%c", (mode & 4 ? 'r' : '-'), |
| 241 | (mode & 2 ? 'w' : '-'), (mode & 1 ? 'x' : '-')); | 241 | (mode & 2 ? 'w' : '-'), (mode & 1 ? 'x' : '-')); |
| 242 | } | 242 | } |
| 243 | 243 | ||
| 244 | int html_include(const char *filename) | 244 | int html_include(const char *filename) |
| 245 | { | 245 | { |
| 246 | FILE *f; | 246 | FILE *f; |