summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHiltjo Posthuma <hiltjo@codemadness.org>2023-04-13 00:34:23 +0200
committerHiltjo Posthuma <hiltjo@codemadness.org>2023-04-13 00:34:23 +0200
commiteb8d6cf63815bff6697ebc7ae1b83f998b6eab53 (patch)
treea42b1bb76233521d2de47de7f9dd3affe14a69c3
parent728270f69c34a84cb10aa891178c90c8fe36320d (diff)
atom, json, mbox: fix reading past the buffer with an escaped NUL byte (\ NUL)
This would skip checking the end of the string of checking a NUL byte, because the iteration was done before checking it. It would proceed into the data that comes after. Note that sfeed itself can't generate such malformed data itself. Example input: 0 title link content\ html Would incorrect print "contenthtml" as the content.
-rw-r--r--sfeed_atom.c2
-rw-r--r--sfeed_json.c2
-rw-r--r--sfeed_mbox.c2
3 files changed, 6 insertions, 0 deletions
diff --git a/sfeed_atom.c b/sfeed_atom.c
index aeea2de..ace7d5a 100644
--- a/sfeed_atom.c
+++ b/sfeed_atom.c
@@ -22,6 +22,8 @@ printcontent(const char *s)
case '&': fputs("&amp;", stdout); break;
case '"': fputs("&quot;", stdout); break;
case '\\':
+ if (*(s + 1) == '\0')
+ break;
s++;
switch (*s) {
case 'n': putchar('\n'); break;
diff --git a/sfeed_json.c b/sfeed_json.c
index f6bb904..e177d2b 100644
--- a/sfeed_json.c
+++ b/sfeed_json.c
@@ -16,6 +16,8 @@ printcontent(const char *s)
for (; *s; s++) {
switch (*s) {
case '\\':
+ if (*(s + 1) == '\0')
+ break;
s++;
switch (*s) {
case 'n': fputs("\\n", stdout); break;
diff --git a/sfeed_mbox.c b/sfeed_mbox.c
index b5e7e3d..c00971f 100644
--- a/sfeed_mbox.c
+++ b/sfeed_mbox.c
@@ -37,6 +37,8 @@ escapefrom:
for (; *s; s++) {
switch (*s) {
case '\\':
+ if (*(s + 1) == '\0')
+ break;
s++;
switch (*s) {
case 'n':