Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed a buffer overflow (!) in wxHtmlTagsCache

Browse Source 
git-svn-id: https://svn.wxwidgets.org/svn/wx/wxWidgets/trunk@14837 c3d73ce0-8a6f-49c7-b76d-6d57e0e08775
This commit is contained in:
Vadim Zeitlin
2002-03-28 12:52:27 +00:00
parent 0f243af310
commit 8cd82622a0
1 changed files with 35 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/html/htmltag.cpp
View File

@@ -62,7 +62,7 @@ wxHtmlTagsCache::wxHtmlTagsCache(const wxString& source)
const wxChar *src = source.c_str();
int i, tg, pos, stpos;
int lng = source.Length();
wxChar dummy[256];
wxChar tagBuffer[256];
m_Cache = NULL;
m_CacheSize = 0;
@@ -77,19 +77,18 @@ wxHtmlTagsCache::wxHtmlTagsCache(const wxString& source)
m_Cache = (wxHtmlCacheItem*) realloc(m_Cache, (m_CacheSize + CACHE_INCREMENT) * sizeof(wxHtmlCacheItem));
tg = m_CacheSize++;
m_Cache[tg].Key = stpos = pos++;
dummy[0] = 0; i = 0;
while (pos < lng &&
src[pos] != wxT('>') &&
src[pos] != wxT(' ') && src[pos] != wxT('\r') &&
src[pos] != wxT('\n') && src[pos] != wxT('\t'))
for ( i = 0;
pos < lng && i < WXSIZEOF(tagBuffer) - 1 &&
src[pos] != wxT('>') && !wxIsspace(src[pos]);
i++, pos++ )
{
dummy[i] = src[pos++];
if ((dummy[i] >= wxT('a')) && (dummy[i] <= wxT('z'))) dummy[i] -= (wxT('a') - wxT('A'));
i++;
tagBuffer[i] = wxToupper(src[pos]);
}
dummy[i] = 0;
tagBuffer[i] = _T('\0');
m_Cache[tg].Name = new wxChar[i+1];
memcpy(m_Cache[tg].Name, dummy, (i+1)*sizeof(wxChar));
memcpy(m_Cache[tg].Name, tagBuffer, (i+1)*sizeof(wxChar));
while (pos < lng && src[pos] != wxT('>')) pos++;
@@ -98,7 +97,7 @@ wxHtmlTagsCache::wxHtmlTagsCache(const wxString& source)
m_Cache[tg].End1 = m_Cache[tg].End2 = -2;
// find matching begin tag:
for (i = tg; i >= 0; i--)
if ((m_Cache[i].End1 == -1) && (wxStrcmp(m_Cache[i].Name, dummy+1) == 0))
if ((m_Cache[i].End1 == -1) && (wxStrcmp(m_Cache[i].Name, tagBuffer+1) == 0))
{
m_Cache[i].End1 = stpos;
m_Cache[i].End2 = pos + 1;