texinfo-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[7648] scan_reference_label check return value properly

From: gavinsmith0123
Subject: [7648] scan_reference_label check return value properly
Date: Mon, 23 Jan 2017 15:31:40 -0500 (EST) 
Revision: 7648
          http://svn.sv.gnu.org/viewvc/?view=rev&root=texinfo&revision=7648
Author:   gavin
Date:     2017-01-23 15:31:40 -0500 (Mon, 23 Jan 2017)
Log Message:
-----------
scan_reference_label check return value properly

Modified Paths:
--------------
    trunk/ChangeLog
    trunk/info/info-utils.c

Modified: trunk/ChangeLog
===================================================================
--- trunk/ChangeLog     2017-01-23 19:47:08 UTC (rev 7647)
+++ trunk/ChangeLog     2017-01-23 20:31:40 UTC (rev 7648)
@@ -1,5 +1,11 @@
 2017-01-23  Gavin Smith  <address@hidden>
 
+       * info/info-utils.c (scan_reference_label): Properly check 
+       return value of 'read_quoted_string' to avoid reading past the 
+       end of the buffer.  Invalid read reported by Hanno B\xF6ck.
+
+2017-01-23  Gavin Smith  <address@hidden>
+
        * info/nodes.c (adjust_nodestart): Check that both the start and 
        end of the region where we search for the node separator are
        within the file buffer, to avoid invalidly reading memory in 

Modified: trunk/info/info-utils.c
===================================================================
--- trunk/info/info-utils.c     2017-01-23 19:47:08 UTC (rev 7647)
+++ trunk/info/info-utils.c     2017-01-23 20:31:40 UTC (rev 7648)
@@ -1262,7 +1262,8 @@
 scan_reference_label (REFERENCE *entry)
 {
   char *dummy;
-  int label_len = 0;
+  int max_lines;
+  int len, label_len = 0;
 
   /* Handle case of cross-reference like (FILE)^?NODE^?::. */
   if (inptr[0] == '(')
@@ -1271,13 +1272,14 @@
   /* Search forward to ":" to get label name.  Cross-references may have
      a newline in the middle. */
   if (entry->type == REFERENCE_MENU_ITEM)
-    label_len += read_quoted_string (inptr + label_len, ":", 1, &dummy);
+    max_lines = 1;
   else
-    label_len += read_quoted_string (inptr + label_len, ":", 2, &dummy);
+    max_lines = 2;
+  len = read_quoted_string (inptr + label_len, ":", max_lines, &dummy);
   free (dummy);
-    
-  if (label_len == 0)
-    return 0;
+  if (!len)
+    return 0; /* Input invalid. */
+  label_len += len;
 
   entry->label = xmalloc (label_len + 1);
   memcpy (entry->label, inptr, label_len);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]