ref: 4ad59914e8a570d869f4e66540578cc3bdbc04eb
parent: 19d38407011bf4b6b16053b699cca8a689bf5808
author: cinap_lenrek <cinap_lenrek@centraldogma>
date: Mon Oct 10 15:54:15 EDT 2011
mothra: fix unicode buffer overflow and spurious select crash, webfs: dont rewrite relative url
--- a/sys/src/cmd/mothra/forms.c
+++ b/sys/src/cmd/mothra/forms.c
@@ -225,7 +225,7 @@
break;
case Tag_option:
if(g->form==0) goto BadTag;
- f=g->form->efields;
+ if((f=g->form->efields)==0) goto BadTag;
o=emallocz(sizeof(Option), 1);
for(op=&f->options;*op;op=&(*op)->next);
*op=o;
@@ -288,6 +288,8 @@
* Called by rdhtml on seeing a forms-related end tag
*/
void endform(Hglob *g){+ Field *f;
+
switch(g->tag){case Tag_form:
g->form=0;
@@ -295,8 +297,10 @@
case Tag_select:
if(g->form==0)
htmlerror(g->name, g->lineno, "</select> not in form, ignored\n");
+ else if((f=g->form->efields)==0)
+ htmlerror(g->name, g->lineno, "spurious </select>\n");
else
- pl_htmloutput(g, g->nsp, g->form->efields->name,g->form->efields);
+ pl_htmloutput(g, g->nsp, f->name, f);
break;
case Tag_textarea:
break;
--- a/sys/src/cmd/mothra/mothra.c
+++ b/sys/src/cmd/mothra/mothra.c
@@ -1064,11 +1064,9 @@
t->next = nil;
ap=mallocz(sizeof(Action), 1);
ap->link = strdup(a->link);
- t->space += 4;
plrtstr(&t->next, 0, 0, t->font, strdup("->"), 1, ap);t->next->next = x;
} else {- t->space -= 4;
t->next = x->next;
x->next = nil;
freetext(x);
--- a/sys/src/cmd/mothra/rdhtml.c
+++ b/sys/src/cmd/mothra/rdhtml.c
@@ -210,7 +210,7 @@
int c;
int n;
Rune r;
- char crune[4];
+ char crune[UTFmax+1];
if(g->heof) return EOF;
if(g->npeekc!=0) return g->peekc[--g->npeekc];
c=pl_readc(g);
@@ -229,9 +229,8 @@
}
if(c=='>') return ETAG;
if(c==EOF) return c;
- n=0;
- for (;;){- crune[n++]=c;
+ for (n=1; n<=sizeof(crune); n++){+ crune[n-1]=c;
if(fullrune(crune, n)){chartorune(&r, crune);
return r;
@@ -437,7 +436,7 @@
return pl_getcomment(g);
pl_putback(g, c);
while((c=pl_nextc(g))!=ETAG && c!=EOF)
- if(tokp!=&g->token[NTOKEN-3]) tokp += lrunetochar(tokp, c);
+ if(tokp < &g->token[NTOKEN-UTFmax-1]) tokp += lrunetochar(tokp, c);
*tokp='\0';
if(c==EOF) htmlerror(g->name, g->lineno, "EOF in tag");
pl_tagparse(g, g->token);
@@ -464,12 +463,12 @@
default:
tokp=g->token;
while(c=='\t'){- if(tokp!=&g->token[NTOKEN-3]) tokp += lrunetochar(tokp, c);
+ if(tokp < &g->token[NTOKEN-UTFmax-1]) tokp += lrunetochar(tokp, c);
c=pl_nextc(g);
}
while(c!='\t' && c!='\n' && c!=STAG && c!=EOF){if(c==ETAG) c='>';
- if(tokp!=&g->token[NTOKEN-3]) tokp += lrunetochar(tokp, c);
+ if(tokp < &g->token[NTOKEN-UTFmax-1]) tokp += lrunetochar(tokp, c);
c=pl_nextc(g);
}
*tokp='\0';
@@ -489,7 +488,7 @@
tokp=g->token;
do{if(c==ETAG) c='>';
- if(tokp!=&g->token[NTOKEN-3]) tokp += lrunetochar(tokp, c);
+ if(tokp < &g->token[NTOKEN-UTFmax-1]) tokp += lrunetochar(tokp, c);
c=pl_nextc(g);
}while(c!=' ' && c!='\t' && c!='\n' && c!=STAG && c!=EOF);
*tokp='\0';
@@ -518,12 +517,12 @@
int c;
g->state->font=CWIDTH;
g->state->size=NORMAL;
- elp=&line[NLINE+1];
+ elp=&line[NLINE-UTFmax-1];
lp=line;
for(;;){c=pl_readc(g);
if(c==EOF) break;
- if(c=='\n' || lp==elp){+ if(c=='\n' || lp>=elp){*lp='\0';
g->linebrk=1;
pl_htmloutput(g, 0, line, 0);
@@ -530,7 +529,7 @@
lp=line;
}
if(c=='\t'){- do *lp++=' '; while(lp!=elp && utfnlen(line, lp-line)%8!=0);
+ do *lp++=' '; while(lp<elp && utfnlen(line, lp-line)%8!=0);
}
else if(c!='\n')
lp += lrunetochar(lp, c);
@@ -580,6 +579,7 @@
Hglob g;
int t;
int tagerr;
+
g.state=g.stack;
g.state->tag=Tag_html;
g.state->font=ROMAN;
--- a/sys/src/cmd/webfs/url.c
+++ b/sys/src/cmd/webfs/url.c
@@ -901,6 +901,8 @@
{char *s;
+ if(u->scheme == nil)
+ return;
if(u->schemedata)
s = estrmanydup(u->scheme, ":", u->schemedata, nil);
else
@@ -909,7 +911,7 @@
u->passwd ? ":" : "", u->passwd ? u->passwd : "",
u->user ? "@" : "", u->host ? u->host : "",
u->port ? ":" : "", u->port ? u->port : "",
- u->path,
+ u->path ? u->path : "",
u->query ? "?" : "", u->query ? u->query : "",
u->fragment ? "#" : "", u->fragment ? u->fragment : "",
nil);