Fix out-of-bounds memory access in tab expansion.
The loop performs two jobs: Find the first tabstop, and counting the number of characters before it. To count the number of characters before the tabstop, it counts all bytes that are not UTF-8 continuation bytes. The current form of the loop doesn't check the first character, but checks the character past the range's end. Since these are both usually non-continuation characters, it does the right thing accidentally. However, it accesses the character range at index `size`, which is forbidden and might be uninitialized for strings that are not null-terminated.
This commit is contained in:
Steve Wolter
parent
737304d2aa
commit
d2dde183ee
1 changed files with 1 additions and 1 deletions
|
|
@ -2707,10 +2707,10 @@ static void expand_tabs(hoedown_buffer *ob, const uint8_t *line, size_t size)
|
|||
size_t org = i;
|
||||
|
||||
while (i < size && line[i] != '\t') {
|
||||
i++;
|
||||
/* ignore UTF-8 continuation bytes */
|
||||
if ((line[i] & 0xc0) != 0x80)
|
||||
tab++;
|
||||
i++;
|
||||
}
|
||||
|
||||
if (i > org)
|
||||
|
|
|
|||
Loading…
Reference in a new issue