Re: [xml] A long URL causes SEGV



Yuuichi Teranishi wrote:

Thanks for your quick response...But it still crushes!
More strict checking seems to be required.

Okay, my mistake. Didn't look good enough. The patch attached to this mail solves the issue.

However, I have a question for everyone. Look at this code from nanohttp.c:

  while ((*cur != 0) && (indx < 4096)) {
    if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
      /* some processing here */
    }
    buf[indx++] = *cur++;
  }

At any given point cur[1] can be the terminating zero and cur[2] not a part of the memory block. An access to cur[2] would then mean accessing an unknown territory.

That however doesn't happen. The C compiler, when doing a (...) && (...) && (...), won't evaluate further parentheses after it encounters the first one that evaluates to false. In our example, test for cur[1] is false and an access to cur[2] doesn't happen.

Question: Who can guarantee that all compilers really behave this way? Is there anything in the C spec that forces the compiler to evaluate these parentheses in exactly this manner?

Ciao,
Igor

Index: nanohttp.c
===================================================================
RCS file: /cvs/gnome/libxml2/nanohttp.c,v
retrieving revision 1.76
diff -c -r1.76 nanohttp.c
*** nanohttp.c  1 Nov 2003 17:04:58 -0000       1.76
--- nanohttp.c  9 Feb 2004 14:04:33 -0000
***************
*** 288,294 ****
      }
      if (URL == NULL) return;
      buf[indx] = 0;
!     while (*cur != 0) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
            buf[indx] = 0;
            ctxt->protocol = xmlMemStrdup(buf);
--- 288,294 ----
      }
      if (URL == NULL) return;
      buf[indx] = 0;
!     while ((*cur != 0) && (indx < 4096)) {
          if ((cur[0] == ':') && (cur[1] == '/') && (cur[2] == '/')) {
            buf[indx] = 0;
            ctxt->protocol = xmlMemStrdup(buf);
***************
*** 301,307 ****
      if (*cur == 0) return;
  
      buf[indx] = 0;
!     while (1) {
        if ((strchr (cur, '[') && !strchr (cur, ']')) ||
                (!strchr (cur, '[') && strchr (cur, ']'))) {
            __xmlIOErr(XML_FROM_HTTP, XML_HTTP_URL_SYNTAX, 
--- 301,307 ----
      if (*cur == 0) return;
  
      buf[indx] = 0;
!     while (indx < 4096) {
        if ((strchr (cur, '[') && !strchr (cur, ']')) ||
                (!strchr (cur, '[') && strchr (cur, ']'))) {
            __xmlIOErr(XML_FROM_HTTP, XML_HTTP_URL_SYNTAX, 
***************
*** 311,317 ****
  
        if (cur[0] == '[') {
            cur++;
!           while (cur[0] != ']')
                buf[indx++] = *cur++;
      
            if (!strchr (buf, ':')) {
--- 311,317 ----
  
        if (cur[0] == '[') {
            cur++;
!           while ((cur[0] != ']') && (indx < 4096))
                buf[indx++] = *cur++;
      
            if (!strchr (buf, ':')) {
***************
*** 368,374 ****
      else {
          indx = 0;
          buf[indx] = 0;
!       while (*cur != 0)
            buf[indx++] = *cur++;
        buf[indx] = 0;
        ctxt->path = xmlMemStrdup(buf);
--- 368,374 ----
      else {
          indx = 0;
          buf[indx] = 0;
!       while ((*cur != 0) && (indx < 4096))
            buf[indx++] = *cur++;
        buf[indx] = 0;
        ctxt->path = xmlMemStrdup(buf);


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]