organicmaps/libexpat
13
Fork 0
mirror of https://github.com/libexpat/libexpat.git synced 2025-04-05 13:14:59 +00:00
Code Issues 1 Projects Releases Wiki Activity Actions 1

FIx bug with overwriting memory with large numbers of attributes

Browse source
This commit is contained in:
James Clark 1998-11-18 05:40:41 +00:00
parent ca00d00f4d
commit 65fc545d5e
1 changed files with 12 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
expat/xmltok/xmltok_impl.c
View file

@ -1405,33 +1405,39 @@ int PREFIX(getAtts)(const ENCODING *enc, const char *ptr,
#undef START_NAME
case BT_QUOT:
if (state != inValue) {
atts[nAtts].valuePtr = ptr + MINBPC(enc);
if (nAtts < attsMax)
atts[nAtts].valuePtr = ptr + MINBPC(enc);
state = inValue;
open = BT_QUOT;
}
else if (open == BT_QUOT) {
state = other;
atts[nAtts++].valueEnd = ptr;
if (nAtts < attsMax)
atts[nAtts++].valueEnd = ptr;
}
break;
case BT_APOS:
if (state != inValue) {
atts[nAtts].valuePtr = ptr + MINBPC(enc);
if (nAtts < attsMax)
atts[nAtts].valuePtr = ptr + MINBPC(enc);
state = inValue;
open = BT_APOS;
}
else if (open == BT_APOS) {
state = other;
atts[nAtts++].valueEnd = ptr;
if (nAtts < attsMax)
atts[nAtts++].valueEnd = ptr;
}
break;
case BT_AMP:
atts[nAtts].normalized = 0;
if (nAtts < attsMax)
atts[nAtts].normalized = 0;
break;
case BT_S:
if (state == inName)
state = other;
else if (state == inValue
&& nAtts < attsMax
&& atts[nAtts].normalized
&& (ptr == atts[nAtts].valuePtr
|| BYTE_TO_ASCII(enc, ptr) != ' '
@ -1444,7 +1450,7 @@ int PREFIX(getAtts)(const ENCODING *enc, const char *ptr,
Apart from that we could just change state on the quote. */
if (state == inName)
state = other;
else if (state == inValue)
else if (state == inValue && nAtts < attsMax)
atts[nAtts].normalized = 0;
break;
case BT_GT: