[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[Libevent-users] patch for evhttp_htmlescape() in http.c
- To: libevent-users@xxxxxxxxxxxxx
- Subject: [Libevent-users] patch for evhttp_htmlescape() in http.c
- From: Mansour Moufid <mansourmoufid@xxxxxxxxx>
- Date: Mon, 23 May 2011 17:54:44 -0400
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: libevent-users-outgoing@xxxxxxxx
- Delivered-to: libevent-users@xxxxxxxx
- Delivery-date: Mon, 23 May 2011 17:55:12 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:from:date:message-id:subject:to :content-type; bh=hUcb/QJ9NeU4/0/F7tSDadFYhtb5h4dX/je3ibv8ZeA=; b=fCK0zqdUIRr/QRBaTwB8bBCAb5l8BJUJmQOyNbtszAbLhcK62E4HcIKcxQIdajmyno 50TQ3wPd//FUgtWL6MNWrcO3X5pKYjM5+4lzcTyBzwpN7Q4C/LF1BpA4zqo0niwnS2sY IyOvCJjr3vLLp/VNgH9r5/1j3fI+wy3vSyRT8=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=csH2T027gypkXckrKumuU5JZ64HEzxSuPyRrZtuLcVEOWr/ElVZuA/1nGbty2ePD8r gAFk7zKA49siOT37+Tz65b1nNrDvFrs9T4Vuj+Vs/7qU38+3QM1RhA1FSPqUtwMHn1kK mP0wIq5BRJQFViGr4RQUz1ggyP99LaC7ObUcQ=
- Reply-to: libevent-users@xxxxxxxxxxxxx
- Sender: owner-libevent-users@xxxxxxxxxxxxx
A couple changes in the file `http.c'.
Removed the `scratch_space' variable from the `evhttp_htmlescape'
function since it wasn't actually used; also removed the `buf'
variable from the `evhttp_htmlescape' function since it was only used
by `scratch_space'.
Modified the `html_replace' function so that it returns the length of
the replacement string instead of the string itself. This is used to
easily check for overflows of the `new_size' variable in the first for
loop of the `evhttp_htmlescape' function, and thus potential out of
bounds writes in the second for loop (if an overflow occurs in
new_size, then new_size < old_size). Also check that new_size + 1
doesn't overflow in mm_malloc(new_size + 1).
---
--- http.c.orig 2011-05-23 16:22:16.848374553 -0400
+++ http.c 2011-05-23 17:36:23.000000000 -0400
@@ -219,29 +219,35 @@ strsep(char **s, const char *del)
}
#endif
-static const char *
-html_replace(char ch, char *buf)
+static size_t
+html_replace(const char ch, const char **escaped)
{
switch (ch) {
case '<':
- return "<";
+ if (escaped != NULL)
+ *escaped = "<";
+ return 4;
case '>':
- return ">";
+ if (escaped != NULL)
+ *escaped = ">";
+ return 4;
case '"':
- return """;
+ if (escaped != NULL)
+ *escaped = """;
+ return 6;
case '\'':
- return "'";
+ if (escaped != NULL)
+ *escaped = "'";
+ return 6;
case '&':
- return "&";
+ if (escaped != NULL)
+ *escaped = "&";
+ return 5;
default:
break;
}
- /* Echo the character back */
- buf[0] = ch;
- buf[1] = '\0';
-
- return buf;
+ return 1;
}
/*
@@ -255,21 +261,33 @@ char *
evhttp_htmlescape(const char *html)
{
size_t i;
- size_t new_size = 0, old_size = strlen(html);
+ size_t new_size = 0, old_size = 0;
char *escaped_html, *p;
- char scratch_space[2];
- for (i = 0; i < old_size; ++i)
- new_size += strlen(html_replace(html[i], scratch_space));
+ if (html == NULL)
+ return (NULL);
+
+ old_size = strlen(html);
+ for (i = 0; i < old_size; ++i) {
+ const size_t replace_size = html_replace(html[i], NULL);
+ if (replace_size > EV_SIZE_MAX - new_size) {
+ event_warn("%s: html_replace overflow", __func__);
+ return (NULL);
+ }
+ new_size += replace_size;
+ }
+ if (new_size == EV_SIZE_MAX)
+ return (NULL);
p = escaped_html = mm_malloc(new_size + 1);
if (escaped_html == NULL) {
- event_warn("%s: malloc(%ld)", __func__, (long)(new_size + 1));
+ event_warn("%s: malloc(%lu)", __func__,
+ (unsigned long)(new_size + 1));
return (NULL);
}
for (i = 0; i < old_size; ++i) {
- const char *replaced = html_replace(html[i], scratch_space);
- size_t len = strlen(replaced);
+ const char *replaced = &html[i];
+ const size_t len = html_replace(html[i], &replaced);
memcpy(p, replaced, len);
p += len;
}
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users in the body.