From 65fc545d5ef7517016a0ee7e8b3bf860b2d92e52 Mon Sep 17 00:00:00 2001 From: James Clark Date: Wed, 18 Nov 1998 05:40:41 +0000 Subject: [PATCH] FIx bug with overwriting memory with large numbers of attributes --- expat/xmltok/xmltok_impl.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/expat/xmltok/xmltok_impl.c b/expat/xmltok/xmltok_impl.c index 0a5ebd7c..2e2c52ee 100755 --- a/expat/xmltok/xmltok_impl.c +++ b/expat/xmltok/xmltok_impl.c @@ -1405,33 +1405,39 @@ int PREFIX(getAtts)(const ENCODING *enc, const char *ptr, #undef START_NAME case BT_QUOT: if (state != inValue) { - atts[nAtts].valuePtr = ptr + MINBPC(enc); + if (nAtts < attsMax) + atts[nAtts].valuePtr = ptr + MINBPC(enc); state = inValue; open = BT_QUOT; } else if (open == BT_QUOT) { state = other; - atts[nAtts++].valueEnd = ptr; + if (nAtts < attsMax) + atts[nAtts++].valueEnd = ptr; } break; case BT_APOS: if (state != inValue) { - atts[nAtts].valuePtr = ptr + MINBPC(enc); + if (nAtts < attsMax) + atts[nAtts].valuePtr = ptr + MINBPC(enc); state = inValue; open = BT_APOS; } else if (open == BT_APOS) { state = other; - atts[nAtts++].valueEnd = ptr; + if (nAtts < attsMax) + atts[nAtts++].valueEnd = ptr; } break; case BT_AMP: - atts[nAtts].normalized = 0; + if (nAtts < attsMax) + atts[nAtts].normalized = 0; break; case BT_S: if (state == inName) state = other; else if (state == inValue + && nAtts < attsMax && atts[nAtts].normalized && (ptr == atts[nAtts].valuePtr || BYTE_TO_ASCII(enc, ptr) != ' ' @@ -1444,7 +1450,7 @@ int PREFIX(getAtts)(const ENCODING *enc, const char *ptr, Apart from that we could just change state on the quote. */ if (state == inName) state = other; - else if (state == inValue) + else if (state == inValue && nAtts < attsMax) atts[nAtts].normalized = 0; break; case BT_GT: