 |
atom, json, mbox: fix reading past the buffer with an escaped NUL byte (\ NUL) … |
 |
git clone git://git.codemadness.org/sfeed |
 |
Log |
|
Files |
|
Refs |
|
README |
|
LICENSE |
|
--- |
|
commit eb8d6cf63815bff6697ebc7ae1b83f998b6eab53 |
|
parent 728270f69c34a84cb10aa891178c90c8fe36320d |
|
Author: Hiltjo Posthuma <[email protected]> |
|
Date: Thu, 13 Apr 2023 00:34:23 +0200 |
|
|
|
atom, json, mbox: fix reading past the buffer with an escaped NUL byte (\ NUL) |
|
|
|
This would skip checking the end of the string of checking a NUL byte, because |
|
the iteration was done before checking it. |
|
|
|
It would proceed into the data that comes after. Note that sfeed itself can't |
|
generate such malformed data itself. |
|
|
|
Example input: |
|
|
|
0 title link content\ html |
|
|
|
Would incorrect print "contenthtml" as the content. |
|
|
|
Diffstat: |
|
M sfeed_atom.c | 2 ++ |
|
M sfeed_json.c | 2 ++ |
|
M sfeed_mbox.c | 2 ++ |
|
|
|
3 files changed, 6 insertions(+), 0 deletions(-) |
|
--- |
|
diff --git a/sfeed_atom.c b/sfeed_atom.c |
|
@@ -22,6 +22,8 @@ printcontent(const char *s) |
|
case '&': fputs("&", stdout); break; |
|
case '"': fputs(""", stdout); break; |
|
case '\\': |
|
+ if (*(s + 1) == '\0') |
|
+ break; |
|
s++; |
|
switch (*s) { |
|
case 'n': putchar('\n'); break; |
|
diff --git a/sfeed_json.c b/sfeed_json.c |
|
@@ -16,6 +16,8 @@ printcontent(const char *s) |
|
for (; *s; s++) { |
|
switch (*s) { |
|
case '\\': |
|
+ if (*(s + 1) == '\0') |
|
+ break; |
|
s++; |
|
switch (*s) { |
|
case 'n': fputs("\\n", stdout); break; |
|
diff --git a/sfeed_mbox.c b/sfeed_mbox.c |
|
@@ -37,6 +37,8 @@ escapefrom: |
|
for (; *s; s++) { |
|
switch (*s) { |
|
case '\\': |
|
+ if (*(s + 1) == '\0') |
|
+ break; |
|
s++; |
|
switch (*s) { |
|
case 'n': |
