aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVicent Marti <tanoku@gmail.com>2014-09-10 20:02:01 +0200
committerVicent Marti <tanoku@gmail.com>2014-09-10 20:02:01 +0200
commit0ae7f4f53720e867c92ac9465062285293568856 (patch)
tree1c95ac79069e0adefd702232a0871c01c392c75d
parent8c028e1a88c2d2aac4a4086202568bee43678aa8 (diff)
Handle overflows in the codepoint parser
-rw-r--r--src/html/houdini_html_u.c20
1 files changed, 16 insertions, 4 deletions
diff --git a/src/html/houdini_html_u.c b/src/html/houdini_html_u.c
index b8e2d8d..49b4956 100644
--- a/src/html/houdini_html_u.c
+++ b/src/html/houdini_html_u.c
@@ -15,13 +15,25 @@ houdini_unescape_ent(strbuf *ob, const uint8_t *src, size_t size)
int codepoint = 0;
if (_isdigit(src[1])) {
- for (i = 1; i < size && _isdigit(src[i]); ++i)
- codepoint = (codepoint * 10) + (src[i] - '0');
+ for (i = 1; i < size && _isdigit(src[i]); ++i) {
+ int cp = (codepoint * 10) + (src[i] - '0');
+
+ if (cp < codepoint)
+ return 0;
+
+ codepoint = cp;
+ }
}
else if (src[1] == 'x' || src[1] == 'X') {
- for (i = 2; i < size && _isxdigit(src[i]); ++i)
- codepoint = (codepoint * 16) + ((src[i] | 32) % 39 - 9);
+ for (i = 2; i < size && _isxdigit(src[i]); ++i) {
+ int cp = (codepoint * 16) + ((src[i] | 32) % 39 - 9);
+
+ if (cp < codepoint)
+ return 0;
+
+ codepoint = cp;
+ }
}
if (i < size && src[i] == ';' && codepoint) {