gnu/packages/patches/tidy-CVE-2015-5522+5523.patch

   1 Copied from Debian.
   2
   3 From c18f27a58792f7fbd0b30a0ff50d6b40a82f940d Mon Sep 17 00:00:00 2001
   4 From: Geoff McLane <ubuntu@geoffair.info>
   5 Date: Wed, 3 Jun 2015 20:26:03 +0200
   6 Subject: [PATCH] Issue #217 - avoid len going negative, ever...
   7
   8 ---
   9  src/lexer.c | 8 +++++---
  10  1 file changed, 5 insertions(+), 3 deletions(-)
  11
  12 diff --git a/src/lexer.c b/src/lexer.c
  13 index 376a3d8..664f806 100644
  14 --- a/src/lexer.c
  15 +++ b/src/lexer.c
  16 @@ -3739,16 +3740,17 @@ static tmbstr ParseValue( TidyDocImpl* doc, ctmbstr name,
  17          /* and prompts attributes unless --literal-attributes is set to yes      */
  18          /* #994841 - Whitespace is removed from value attributes                 */
  19
  20 -        if (munge &&
  21 +        /* Issue #217 - Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */
  22 +        if ((len > 0) && munge &&
  23              TY_(tmbstrcasecmp)(name, "alt") &&
  24              TY_(tmbstrcasecmp)(name, "title") &&
  25              TY_(tmbstrcasecmp)(name, "value") &&
  26              TY_(tmbstrcasecmp)(name, "prompt"))
  27          {
  28 -            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]))
  29 +            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0))
  30                  --len;
  31
  32 -            while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len)
  33 +            while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0))
  34              {
  35                  ++start;
  36                  --len;