HTUnEscape may skip over NUL byte...

• To: www-lib-bugs@w3.org
• Subject: HTUnEscape may skip over NUL byte...
• From: Markku Savela <msa@msa.tte.vtt.fi>
• Date: Thu, 14 Nov 1996 14:17:16 +0200 (EET)
• From www-lib-bugs-request@www10.w3.org Thu Nov 14 07: 17:19 1996
• Message-Id: <199611141217.OAA16267@msa.tte.vtt.fi>
• Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
• X-List-URL: http://www.w3.org/pub/WWW/Archives/Public/www-lib-bugs/

If HTUnEscape is given a string like "....%2", it will step over the
terminating NUL byte, and with bad luck, if the next bytes are
non-NUL, it may trash memory too. I think following minimal fix will
repair the problem:

*** HTEscape.c.ORIG	Wed May  1 02:31:29 1996
--- HTEscape.c	Thu Nov 14 13:02:49 1996
***************
*** 112,119 ****
          if (*p == HEX_ESCAPE) {
  	    p++;
  	    if (*p) *q = from_hex(*p++) * 16;
! 	    if (*p) *q = FROMASCII(*q + from_hex(*p));
! 	    p++, q++;
  	} else {
  	    *q++ = *p++; 
  	}
--- 112,119 ----
          if (*p == HEX_ESCAPE) {
  	    p++;
  	    if (*p) *q = from_hex(*p++) * 16;
! 	    if (*p) *q = FROMASCII(*q + from_hex(*p)), ++p;
! 	    q++;
  	} else {
  	    *q++ = *p++; 
  	}


Disclaimer! This is of course my view of the matter. Someone in W3C
should probably verify the patch (or invent a neater one).

--
Markku Savela (msa@hemuli.tte.vtt.fi),     Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

• Prev: patch for HTCache.c (of version 5.0a)
• Next: Still about server mode in libwwww 5.0a...
• Index: Message index of www-lib-bugs@w3.org mailing list
• Thread: Thread index of www-lib-bugs@w3.org mailing list