Re: [xml] A long URL causes SEGV
- From: Igor Zlatkovic <igor zlatkovic com>
- To: Yuuichi Teranishi <teranisi gohome org>
- Cc: xml gnome org
- Subject: Re: [xml] A long URL causes SEGV
- Date: Mon, 09 Feb 2004 15:22:34 +0100
Yuuichi Teranishi wrote:
Thanks for your quick response...But it still crushes!
More strict checking seems to be required.
Okay, my mistake. Didn't look good enough. The patch attached to this
mail solves the issue.
However, I have a question for everyone. Look at this code from nanohttp.c:
while ((*cur != 0) && (indx < 4096)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
/* some processing here */
}
buf[indx++] = *cur++;
}
At any given point cur[1] can be the terminating zero and cur[2] not a
part of the memory block. An access to cur[2] would then mean accessing
an unknown territory.
That however doesn't happen. The C compiler, when doing a (...) && (...)
&& (...), won't evaluate further parentheses after it encounters the
first one that evaluates to false. In our example, test for cur[1] is
false and an access to cur[2] doesn't happen.
Question: Who can guarantee that all compilers really behave this way?
Is there anything in the C spec that forces the compiler to evaluate
these parentheses in exactly this manner?
Ciao,
Igor
Index: nanohttp.c
===================================================================
RCS file: /cvs/gnome/libxml2/nanohttp.c,v
retrieving revision 1.76
diff -c -r1.76 nanohttp.c
*** nanohttp.c 1 Nov 2003 17:04:58 -0000 1.76
--- nanohttp.c 9 Feb 2004 14:04:33 -0000
***************
*** 288,294 ****
}
if (URL == NULL) return;
buf[indx] = 0;
! while (*cur != 0) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[indx] = 0;
ctxt->protocol = xmlMemStrdup(buf);
--- 288,294 ----
}
if (URL == NULL) return;
buf[indx] = 0;
! while ((*cur != 0) && (indx < 4096)) {
if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
buf[indx] = 0;
ctxt->protocol = xmlMemStrdup(buf);
***************
*** 301,307 ****
if (*cur == 0) return;
buf[indx] = 0;
! while (1) {
if ((strchr (cur, '[') && !strchr (cur, ']')) ||
(!strchr (cur, '[') && strchr (cur, ']'))) {
__xmlIOErr(XML_FROM_HTTP, XML_HTTP_URL_SYNTAX,
--- 301,307 ----
if (*cur == 0) return;
buf[indx] = 0;
! while (indx < 4096) {
if ((strchr (cur, '[') && !strchr (cur, ']')) ||
(!strchr (cur, '[') && strchr (cur, ']'))) {
__xmlIOErr(XML_FROM_HTTP, XML_HTTP_URL_SYNTAX,
***************
*** 311,317 ****
if (cur[0] == '[') {
cur++;
! while (cur[0] != ']')
buf[indx++] = *cur++;
if (!strchr (buf, ':')) {
--- 311,317 ----
if (cur[0] == '[') {
cur++;
! while ((cur[0] != ']') && (indx < 4096))
buf[indx++] = *cur++;
if (!strchr (buf, ':')) {
***************
*** 368,374 ****
else {
indx = 0;
buf[indx] = 0;
! while (*cur != 0)
buf[indx++] = *cur++;
buf[indx] = 0;
ctxt->path = xmlMemStrdup(buf);
--- 368,374 ----
else {
indx = 0;
buf[indx] = 0;
! while ((*cur != 0) && (indx < 4096))
buf[indx++] = *cur++;
buf[indx] = 0;
ctxt->path = xmlMemStrdup(buf);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]