Fix out-of-bounds memory access in tab expansion.

The loop performs two jobs: Find the first tabstop, and counting the number of characters before it. To count the number of characters before the tabstop, it counts all bytes that are not UTF-8 continuation bytes. The current form of the loop doesn't check the first character, but checks the character past the range's end. Since these are both usually non-continuation characters, it does the right thing accidentally. However, it accesses the character range at index `size`, which is forbidden and might be uninitialized for strings that are not null-terminated.
author: Steve Wolter <swolter@google.com> 2014-12-01 12:35:43 +0100
committer: Steve Wolter <swolter@google.com> 2014-12-01 12:35:43 +0100
commit: d2dde183ee5dff682616eacd0b976cef221e7221 (patch)
tree: 6ed8c14cf15d2d60885d7ecfff7ceb4179f55e21
parent: 737304d2aa24a7a225aaf14b2e23065be8adc449 (diff)
download: rust-hoedown-d2dde183ee5dff682616eacd0b976cef221e7221.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/document.c b/src/document.c
index 3ce4416..47f6cf2 100644
--- a/src/document.c
+++ b/src/document.c
@@ -2707,10 +2707,10 @@ static void expand_tabs(hoedown_buffer *ob, const uint8_t *line, size_t size)
 		size_t org = i;
 
 		while (i < size && line[i] != '\t') {
-			i++;
 			/* ignore UTF-8 continuation bytes */
 			if ((line[i] & 0xc0) != 0x80)
 				tab++;
+			i++;
 		}
 
 		if (i > org)
author	Steve Wolter <swolter@google.com>	2014-12-01 12:35:43 +0100
committer	Steve Wolter <swolter@google.com>	2014-12-01 12:35:43 +0100
commit	d2dde183ee5dff682616eacd0b976cef221e7221 (patch)
tree	6ed8c14cf15d2d60885d7ecfff7ceb4179f55e21
parent	737304d2aa24a7a225aaf14b2e23065be8adc449 (diff)
download	rust-hoedown-d2dde183ee5dff682616eacd0b976cef221e7221.tar.gz