From e6fd6ea3c95343428570d4356734f66dc4908c40 Mon Sep 17 00:00:00 2001
From: Jorge Arellano Cid <jcid@dillo.org>
Date: Thu, 25 Jul 2013 17:44:35 -0400
Subject: Fixed an off-by-one read bug in the URL resolver

Problem details in bof-read-1_Url_resolve_relative.html.asan
(once again, assuming well-formedness is not a good idea)
---
 src/url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/url.c')

diff --git a/src/url.c b/src/url.c
index e0349c30..c33bca00 100644
--- a/src/url.c
+++ b/src/url.c
@@ -263,7 +263,7 @@ static Dstr *Url_resolve_relative(const char *RelStr,
       } else if (BaseUrl->path) {                     /* relative path */
          dStr_append(Path, BaseUrl->path);
          for (i = Path->len; --i >= 0 && Path->str[i] != '/'; ) ;
-         if (Path->str[i] == '/')
+         if (i >= 0 && Path->str[i] == '/')
             dStr_truncate(Path, ++i);
       }
       if (RelUrl->path)
-- 
cgit v1.2.3