Fix out-of-bounds memory access in tab expansion.
The loop performs two jobs: Find the first tabstop, and counting the number of characters before it. To count the number of characters before the tabstop, it counts all bytes that are not UTF-8 continuation bytes. The current form of the loop doesn't check the first character, but checks the character past the range's end. Since these are both usually non-continuation characters, it does the right thing accidentally. However, it accesses the character range at index `size`, which is forbidden and might be uninitialized for strings that are not null-terminated.
This commit is contained in:
Steve Wolter
parent
737304d2aa
commit
d2dde183ee
1 changed files with 1 additions and 1 deletions
|
|
@ -2707,10 +2707,10 @@ static void expand_tabs(hoedown_buffer *ob, const uint8_t *line, size_t size)
|
||||||
size_t org = i;
|
size_t org = i;
|
||||||
|
|
||||||
while (i < size && line[i] != '\t') {
|
while (i < size && line[i] != '\t') {
|
||||||
i++;
|
|
||||||
/* ignore UTF-8 continuation bytes */
|
/* ignore UTF-8 continuation bytes */
|
||||||
if ((line[i] & 0xc0) != 0x80)
|
if ((line[i] & 0xc0) != 0x80)
|
||||||
tab++;
|
tab++;
|
||||||
|
i++;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (i > org)
|
if (i > org)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue