Fix buffer size checks to prevent 2-byte buffer overflows. (Coverity #480,
#481, #482, #483)
This commit is contained in:
parent
fc0772de36
commit
b1b731c286
|
@ -1,5 +1,11 @@
|
|||
2006-03-10 Alan Coopersmith <alan.coopersmith@sun.com>
|
||||
|
||||
* hw/xfree86/utils/xorgcfg/help.c:
|
||||
Fix buffer size checks to prevent 2-byte buffer overflows.
|
||||
(Coverity #480, #481, #482, #483)
|
||||
|
||||
2006-03-10 Alan Coopersmith <alan.coopersmith@sun.com>
|
||||
|
||||
* configure.ac:
|
||||
* include/dix-config.h.in:
|
||||
Add HAS_MMAP for Xvfb
|
||||
|
|
|
@ -820,7 +820,7 @@ Html_ParseTag(Html_Parser *parser)
|
|||
(void)Html_Get(parser); /* eat `/' */
|
||||
sz = 0;
|
||||
while (isalnum(Html_Peek(parser)) &&
|
||||
sz <= sizeof(buf) + 1)
|
||||
((sz + 1) < sizeof(buf)))
|
||||
buf[sz++] = tolower(Html_Get(parser));
|
||||
buf[sz] = '\0';
|
||||
if ((info = Html_GetInfo(buf)) != NULL) {
|
||||
|
@ -854,7 +854,7 @@ Html_ParseTag(Html_Parser *parser)
|
|||
default:
|
||||
sz = 0;
|
||||
while (isalnum(Html_Peek(parser)) &&
|
||||
sz <= sizeof(buf) + 1)
|
||||
((sz + 1) < sizeof(buf)))
|
||||
buf[sz++] = tolower(Html_Get(parser));
|
||||
buf[sz] = '\0';
|
||||
if ((info = Html_GetInfo(buf)) != NULL) {
|
||||
|
@ -1020,7 +1020,7 @@ Html_Parse1(Html_Parser *parser)
|
|||
while ((ch = Html_Peek(parser)) != ';'
|
||||
&& ch != EOF && !isspace(ch)) {
|
||||
ch = Html_Get(parser);
|
||||
if (sz + 1 <= sizeof(buf))
|
||||
if (sz + 1 < sizeof(buf))
|
||||
buf[sz++] = ch;
|
||||
}
|
||||
buf[sz] = '\0';
|
||||
|
@ -1273,7 +1273,7 @@ Html_FormatTag(Html_Parser *parser)
|
|||
case '/':
|
||||
(void)Html_Get(parser); /* eat `/' */
|
||||
while (isalnum(Html_Peek(parser)) &&
|
||||
sz <= sizeof(buf) + 1)
|
||||
((sz + 1) < sizeof(buf)))
|
||||
buf[sz++] = ch = tolower(Html_Get(parser));
|
||||
buf[sz] = '\0';
|
||||
if ((info = Html_GetInfo(buf)) != NULL && info->adnl) {
|
||||
|
@ -1315,7 +1315,7 @@ Html_FormatTag(Html_Parser *parser)
|
|||
break;
|
||||
default:
|
||||
while (isalnum(Html_Peek(parser)) &&
|
||||
sz <= sizeof(buf) + 1)
|
||||
((sz + 1) < sizeof(buf)))
|
||||
buf[sz++] = tolower(Html_Get(parser));
|
||||
buf[sz] = '\0';
|
||||
if ((info = Html_GetInfo(buf)) != NULL && info->adnl) {
|
||||
|
@ -1625,7 +1625,7 @@ Html_FontArgs(Html_Parser *parser, Html_Item *item)
|
|||
sz = 0;
|
||||
name[sz++] = tolower(Html_Get(parser));
|
||||
while ((ch = Html_Peek(parser)) != '>' && ch != EOF)
|
||||
if (isalnum(ch) && sz + 1 <= sizeof(name))
|
||||
if (isalnum(ch) && (sz + 1 < sizeof(name)))
|
||||
name[sz++] = tolower(Html_Get(parser));
|
||||
else
|
||||
break;
|
||||
|
@ -1639,7 +1639,7 @@ Html_FontArgs(Html_Parser *parser, Html_Item *item)
|
|||
|
||||
sz = 0;
|
||||
while ((ch = Html_Peek(parser)) != '>' && ch != EOF) {
|
||||
if (!isspace(ch) && sz + 1 <= sizeof(value))
|
||||
if (!isspace(ch) && (sz + 1 < sizeof(value)))
|
||||
value[sz++] = Html_Get(parser);
|
||||
else
|
||||
break;
|
||||
|
|
Loading…
Reference in New Issue
Block a user