From 0ae7f4f53720e867c92ac9465062285293568856 Mon Sep 17 00:00:00 2001 From: Vicent Marti Date: Wed, 10 Sep 2014 20:02:01 +0200 Subject: Handle overflows in the codepoint parser --- src/html/houdini_html_u.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/html/houdini_html_u.c b/src/html/houdini_html_u.c index b8e2d8d..49b4956 100644 --- a/src/html/houdini_html_u.c +++ b/src/html/houdini_html_u.c @@ -15,13 +15,25 @@ houdini_unescape_ent(strbuf *ob, const uint8_t *src, size_t size) int codepoint = 0; if (_isdigit(src[1])) { - for (i = 1; i < size && _isdigit(src[i]); ++i) - codepoint = (codepoint * 10) + (src[i] - '0'); + for (i = 1; i < size && _isdigit(src[i]); ++i) { + int cp = (codepoint * 10) + (src[i] - '0'); + + if (cp < codepoint) + return 0; + + codepoint = cp; + } } else if (src[1] == 'x' || src[1] == 'X') { - for (i = 2; i < size && _isxdigit(src[i]); ++i) - codepoint = (codepoint * 16) + ((src[i] | 32) % 39 - 9); + for (i = 2; i < size && _isxdigit(src[i]); ++i) { + int cp = (codepoint * 16) + ((src[i] | 32) % 39 - 9); + + if (cp < codepoint) + return 0; + + codepoint = cp; + } } if (i < size && src[i] == ';' && codepoint) { -- cgit v1.2.3