From e66d434aeb97c78daf0d6c3b8e7de0b157310635 Mon Sep 17 00:00:00 2001
From: Jorge Arellano Cid <jcid@dillo.org>
Date: Wed, 11 Sep 2013 19:45:56 -0300
Subject: Fix a corner case with attribute parsing and null-bytes in HTML
 content

e.g. details in gbof-read-0_Html_get_attr2.html.asan
---
 src/html.cc | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'src/html.cc')

diff --git a/src/html.cc b/src/html.cc
index 1f9f5e0a..03bcb736 100644
--- a/src/html.cc
+++ b/src/html.cc
@@ -3854,10 +3854,13 @@ static const char *Html_get_attr2(DilloHtml *html,
          break;
 
       case MATCH_ATTR_NAME:
-         if ((Found = (!(attrname[attr_pos]) &&
-                       (tag[i] == '=' || isspace(tag[i]) || tag[i] == '>')))) {
+         if (!attrname[attr_pos] &&
+             (tag[i] == '=' || isspace(tag[i]) || tag[i] == '>')) {
+            Found = 1;
             state = SEEK_TOKEN_START;
             --i;
+         } else if (!tag[i]) {
+            state = SEEK_ATTR_START; // NULL byte is not allowed
          } else {
             if (D_ASCII_TOLOWER(tag[i]) != D_ASCII_TOLOWER(attrname[attr_pos]))
                state = SEEK_ATTR_START;
-- 
cgit v1.2.3