python/hypothesis: update to 6.122.3
[oi-userland.git] / components / text / tidy / patches / CVE-2015-5522.patch
blob138f111b2daccd6987dd8e8b694c5e2d16a56317
1 # Taken from Debian Jessie package
3 From c18f27a58792f7fbd0b30a0ff50d6b40a82f940d Mon Sep 17 00:00:00 2001
4 From: Geoff McLane <ubuntu@geoffair.info>
5 Date: Wed, 3 Jun 2015 20:26:03 +0200
6 Subject: [PATCH] Issue #217 - avoid len going negative, ever...
8 ---
9 src/lexer.c | 8 +++++---
10 1 file changed, 5 insertions(+), 3 deletions(-)
12 diff --git a/src/lexer.c b/src/lexer.c
13 index 376a3d8..664f806 100644
14 --- a/src/lexer.c
15 +++ b/src/lexer.c
16 @@ -3739,16 +3740,17 @@ static tmbstr ParseValue( TidyDocImpl* doc, ctmbstr name,
17 /* and prompts attributes unless --literal-attributes is set to yes */
18 /* #994841 - Whitespace is removed from value attributes */
20 - if (munge &&
21 + /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */
22 + if ((len > 0) && munge &&
23 TY_(tmbstrcasecmp)(name, "alt") &&
24 TY_(tmbstrcasecmp)(name, "title") &&
25 TY_(tmbstrcasecmp)(name, "value") &&
26 TY_(tmbstrcasecmp)(name, "prompt"))
28 - while (TY_(IsWhite)(lexer->lexbuf[start+len-1]))
29 + while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0))
30 --len;
32 - while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len)
33 + while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0))
35 ++start;
36 --len;