diff options
| author | Jorge Arellano Cid <jcid@dillo.org> | 2013-07-25 15:52:22 -0400 |
|---|---|---|
| committer | Jorge Arellano Cid <jcid@dillo.org> | 2013-07-25 15:52:22 -0400 |
| commit | c83f8355165287897ceb69255f4a7de1d475752e (patch) | |
| tree | 0be9d74bdbcfee4a40334d0dd3fd132b55aef249 /src/html.cc | |
| parent | aa11ed3b29b10dfc6c3107f4023420c1730de7be (diff) | |
Fix a bug with injected HTML that could lead to reads out of bounds.
Problem details are in getCurTagLineNumber.html.asan file.
This solution adds a flag to avoid potential HTML bug messages generation for
injected HTML. The problem is that injected HTML lies in a separate buffer
so the line number counter gets lost. BTW, there's no point in the bug message
because the user never sees the browser-injected HTML sources.
In this particular case there was a bug in the original html file that
went unreported. This patch also fixes this.
Diffstat (limited to 'src/html.cc')
| -rw-r--r-- | src/html.cc | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/html.cc b/src/html.cc index 896700ec..9e11a05a 100644 --- a/src/html.cc +++ b/src/html.cc @@ -542,6 +542,8 @@ int DilloHtml::getCurTagLineNumber() const char *p = Start_Buf; dReturn_val_if_fail(p != NULL, -1); + /* Disable line counting for META hack. Buffers differ. */ + dReturn_val_if((InFlags & IN_META_HACK), -1); ofs = CurrTagOfs; line = OldTagLine; @@ -2865,7 +2867,7 @@ static void Html_tag_open_meta(DilloHtml *html, const char *tag, int tagsize) } else { mr_url = dStrdup(content); } - new_url = a_Url_new(mr_url, URL_STR(html->base_url)); + new_url = a_Html_url_new(html, mr_url, NULL, 0); if (a_Url_cmp(html->base_url, new_url) == 0) { /* redirection loop, or empty url string: ignore */ @@ -2881,11 +2883,11 @@ static void Html_tag_open_meta(DilloHtml *html, const char *tag, int tagsize) * TODO: This is a hairy hack, * It'd be much better to build a widget. */ Dstr *ds_msg = dStr_sized_new(256); - dStr_sprintf(ds_msg, meta_template, mr_url, delay_str); + dStr_sprintf(ds_msg, meta_template, URL_STR(new_url), delay_str); { int o_InFlags = html->InFlags; int o_TagSoup = html->TagSoup; - html->InFlags = IN_BODY; + html->InFlags = IN_BODY + IN_META_HACK; html->TagSoup = false; Html_write_raw(html, ds_msg->str, ds_msg->len, 0); html->TagSoup = o_TagSoup; |