HTUnEscape may skip over NUL byte... from Markku Savela on 1996-11-14 (www-lib-bugs@w3.org from November 1996)

From: Markku Savela <msa@msa.tte.vtt.fi>
Date: Thu, 14 Nov 1996 14:17:16 +0200 (EET)
To: www-lib-bugs@w3.org
Message-Id: <199611141217.OAA16267@msa.tte.vtt.fi>

If HTUnEscape is given a string like "....%2", it will step over the
terminating NUL byte, and with bad luck, if the next bytes are
non-NUL, it may trash memory too. I think following minimal fix will
repair the problem:

*** HTEscape.c.ORIG	Wed May  1 02:31:29 1996
--- HTEscape.c	Thu Nov 14 13:02:49 1996
***************
*** 112,119 ****
          if (*p == HEX_ESCAPE) {
  	    p++;
  	    if (*p) *q = from_hex(*p++) * 16;
! 	    if (*p) *q = FROMASCII(*q + from_hex(*p));
! 	    p++, q++;
  	} else {
  	    *q++ = *p++; 
  	}
--- 112,119 ----
          if (*p == HEX_ESCAPE) {
  	    p++;
  	    if (*p) *q = from_hex(*p++) * 16;
! 	    if (*p) *q = FROMASCII(*q + from_hex(*p)), ++p;
! 	    q++;
  	} else {
  	    *q++ = *p++; 
  	}


Disclaimer! This is of course my view of the matter. Someone in W3C
should probably verify the patch (or invent a neater one).

--
Markku Savela (msa@hemuli.tte.vtt.fi),     Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

Received on Thursday, 14 November 1996 07:17:19 UTC