Re: [xml] A long URL causes SEGV

[Igor Zlatkovic <igor zlatkovic com>]

Yuuichi Teranishi wrote:

> Thanks for your quick response...But it still crushes!
> More strict checking seems to be required.

Okay, my mistake. Didn't look good enough. The patch attached to this 
mail solves the issue.

However, I have a question for everyone. Look at this code from nanohttp.c:

  while ((*cur != 0) && (indx < 4096)) {
    if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
      /* some processing here */
    }
    buf[indx++] = *cur++;
  }

At any given point cur[1] can be the terminating zero and cur[2] not a 
part of the memory block. An access to cur[2] would then mean accessing 
an unknown territory.

That however doesn't happen. The C compiler, when doing a (...) && (...) 
&& (...), won't evaluate further parentheses after it encounters the 
first one that evaluates to false. In our example, test for cur[1] is 
false and an access to cur[2] doesn't happen.

Question: Who can guarantee that all compilers really behave this way? 
Is there anything in the C spec that forces the compiler to evaluate 
these parentheses in exactly this manner?

Ciao,
Igor

Index: nanohttp.c
===================================================================
RCS file: /cvs/gnome/libxml2/nanohttp.c,v
retrieving revision 1.76
diff -c -r1.76 nanohttp.c
*** nanohttp.c  1 Nov 2003 17:04:58 -0000       1.76
--- nanohttp.c  9 Feb 2004 14:04:33 -0000
***************
*** 288,294 ****
      }
      if (URL == NULL) return;
      buf[indx] = 0;
!     while (*cur != 0) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
            buf[indx] = 0;
            ctxt->protocol = xmlMemStrdup(buf);
--- 288,294 ----
      }
      if (URL == NULL) return;
      buf[indx] = 0;
!     while ((*cur != 0) && (indx < 4096)) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
            buf[indx] = 0;
            ctxt->protocol = xmlMemStrdup(buf);
***************
*** 301,307 ****
      if (*cur == 0) return;
  
      buf[indx] = 0;
!     while (1) {
        if ((strchr (cur, '[') && !strchr (cur, ']')) ||
                (!strchr (cur, '[') && strchr (cur, ']'))) {
            __xmlIOErr(XML_FROM_HTTP, XML_HTTP_URL_SYNTAX, 
--- 301,307 ----
      if (*cur == 0) return;
  
      buf[indx] = 0;
!     while (indx < 4096) {
        if ((strchr (cur, '[') && !strchr (cur, ']')) ||
                (!strchr (cur, '[') && strchr (cur, ']'))) {
            __xmlIOErr(XML_FROM_HTTP, XML_HTTP_URL_SYNTAX, 
***************
*** 311,317 ****
  
        if (cur[0] == '[') {
            cur++;
!           while (cur[0] != ']')
                buf[indx++] = *cur++;
      
            if (!strchr (buf, ':')) {
--- 311,317 ----
  
        if (cur[0] == '[') {
            cur++;
!           while ((cur[0] != ']') && (indx < 4096))
                buf[indx++] = *cur++;
      
            if (!strchr (buf, ':')) {
***************
*** 368,374 ****
      else {
          indx = 0;
          buf[indx] = 0;
!       while (*cur != 0)
            buf[indx++] = *cur++;
        buf[indx] = 0;
        ctxt->path = xmlMemStrdup(buf);
--- 368,374 ----
      else {
          indx = 0;
          buf[indx] = 0;
!       while ((*cur != 0) && (indx < 4096))
            buf[indx++] = *cur++;
        buf[indx] = 0;
        ctxt->path = xmlMemStrdup(buf);