Fix a bug in the DOCTYPE parser that could go out of bounds on corner cases

Problem details in bof-read-0_Html_parse_doctype.html.asan. Added a strlen check that makes the code work safely for malformed HTML. (the problem lied in an assumption of well formedness)
author: Jorge Arellano Cid <jcid@dillo.org> 2013-07-25 16:42:03 -0400
committer: Jorge Arellano Cid <jcid@dillo.org> 2013-07-25 16:42:03 -0400
commit: f8e4370ec983f913d719244fe912c0433588445d (patch)
tree: 45278bbd4c299504328a76c72624a44802ed9280 /src
parent: c83f8355165287897ceb69255f4a7de1d475752e (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/html.cc b/src/html.cc
index 9e11a05a..1023e4aa 100644
--- a/src/html.cc
+++ b/src/html.cc
@@ -1498,7 +1498,8 @@ static void Html_parse_doctype(DilloHtml *html, const char *tag, int tagsize)
    static const char XHTML11    [] = "-//W3C//DTD XHTML 1.1";
    static const char XHTML11_url[] = "http://www.w3.org/TR/xhtml11/DTD/";
 
-   int i, quote;
+   size_t i;
+   int quote;
    char *p, *ntag = dStrndup(tag, tagsize);
 
    /* Tag sanitization: Collapse whitespace between tokens
@@ -1523,7 +1524,8 @@ static void Html_parse_doctype(DilloHtml *html, const char *tag, int tagsize)
    _MSG("New: {%s}\n", ntag);
 
    /* The default DT_NONE type is TagSoup */
-   if (!dStrnAsciiCasecmp(ntag, HTML_SGML_sig, strlen(HTML_SGML_sig))) {
+   if (i > strlen(HTML_SGML_sig) && // avoid out of bounds reads!
+       !dStrnAsciiCasecmp(ntag, HTML_SGML_sig, strlen(HTML_SGML_sig))) {
       p = ntag + strlen(HTML_SGML_sig) + 1;
       if (!strncmp(p, HTML401, strlen(HTML401)) &&
           dStriAsciiStr(p + strlen(HTML401), HTML401_url)) {
author	Jorge Arellano Cid <jcid@dillo.org>	2013-07-25 16:42:03 -0400
committer	Jorge Arellano Cid <jcid@dillo.org>	2013-07-25 16:42:03 -0400
commit	f8e4370ec983f913d719244fe912c0433588445d (patch)
tree	45278bbd4c299504328a76c72624a44802ed9280 /src
parent	c83f8355165287897ceb69255f4a7de1d475752e (diff)