]> granicus.if.org Git - libevent/commit
Prevent size_t overflow in evhttp_htmlescape.
authorMansour Moufid <mansourmoufid@gmail.com>
Mon, 23 May 2011 22:01:24 +0000 (18:01 -0400)
committerNick Mathewson <nickm@torproject.org>
Mon, 23 May 2011 22:01:24 +0000 (18:01 -0400)
commit06c51cdf9302967be1547a00fa449d9889ab4666
tree0d161afada62b86255053fb9bb3795acb27cd085
parent74760f1864b5a25a68d43b1bf22cc4a31d94866f
Prevent size_t overflow in evhttp_htmlescape.

Modified the `html_replace' function so that it returns the length of
the replacement string instead of the string itself. This is used to
easily check for overflows of the `new_size' variable in the first for
loop of the `evhttp_htmlescape' function, and thus potential out of
bounds writes in the second for loop (if an overflow occurs in
new_size, then new_size < old_size). Also check that new_size + 1
doesn't overflow in mm_malloc(new_size + 1).

Removed the `scratch_space' variable from the `evhttp_htmlescape'
function since it wasn't actually used; also removed the `buf'
variable from the `evhttp_htmlescape' function since it was only used
by `scratch_space'.
http.c