diff options
author | Alex Richardson <Alexander.Richardson@cl.cam.ac.uk> | 2022-12-01 12:53:15 +0000 |
---|---|---|
committer | Nick Wellnhofer <wellnhofer@aevum.de> | 2022-12-01 15:30:12 +0000 |
commit | c715ded0861af956ba584f566bc7db6717f519d0 (patch) | |
tree | 34a0e7dcf03b0f9710d303cd8b0630750d631b21 /HTMLparser.c | |
parent | c62c0d82ccacc2000c45f211166f008687fb97a0 (diff) | |
download | libxml2-c715ded0861af956ba584f566bc7db6717f519d0.tar.gz |
Avoid creating an out-of-bounds pointer by rewriting a check
Creating more than one-past-the-end pointers is undefined behaviour in C
and while this code is unlikely to be miscompiled, I discovered that an
out-of-bounds pointer is being created using UBSan on a CHERI-enabled
system.
Diffstat (limited to 'HTMLparser.c')
-rw-r--r-- | HTMLparser.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/HTMLparser.c b/HTMLparser.c index 2ab99de1..35859e32 100644 --- a/HTMLparser.c +++ b/HTMLparser.c @@ -2314,7 +2314,7 @@ htmlEncodeEntities(unsigned char* out, int *outlen, else cp = ent->name; len = strlen(cp); - if (out + 2 + len > outend) + if (outend - out < len + 2) break; *out++ = '&'; memcpy(out, cp, len); |