diff options
author | Hiltjo Posthuma <hiltjo@codemadness.org> | 2023-04-13 00:34:23 +0200 |
---|---|---|
committer | Hiltjo Posthuma <hiltjo@codemadness.org> | 2023-04-13 00:34:23 +0200 |
commit | eb8d6cf63815bff6697ebc7ae1b83f998b6eab53 (patch) | |
tree | a42b1bb76233521d2de47de7f9dd3affe14a69c3 | |
parent | 728270f69c34a84cb10aa891178c90c8fe36320d (diff) |
atom, json, mbox: fix reading past the buffer with an escaped NUL byte (\ NUL)
This would skip checking the end of the string of checking a NUL byte, because
the iteration was done before checking it.
It would proceed into the data that comes after. Note that sfeed itself can't
generate such malformed data itself.
Example input:
0 title link content\ html
Would incorrect print "contenthtml" as the content.
-rw-r--r-- | sfeed_atom.c | 2 | ||||
-rw-r--r-- | sfeed_json.c | 2 | ||||
-rw-r--r-- | sfeed_mbox.c | 2 |
3 files changed, 6 insertions, 0 deletions
diff --git a/sfeed_atom.c b/sfeed_atom.c index aeea2de..ace7d5a 100644 --- a/sfeed_atom.c +++ b/sfeed_atom.c @@ -22,6 +22,8 @@ printcontent(const char *s) case '&': fputs("&", stdout); break; case '"': fputs(""", stdout); break; case '\\': + if (*(s + 1) == '\0') + break; s++; switch (*s) { case 'n': putchar('\n'); break; diff --git a/sfeed_json.c b/sfeed_json.c index f6bb904..e177d2b 100644 --- a/sfeed_json.c +++ b/sfeed_json.c @@ -16,6 +16,8 @@ printcontent(const char *s) for (; *s; s++) { switch (*s) { case '\\': + if (*(s + 1) == '\0') + break; s++; switch (*s) { case 'n': fputs("\\n", stdout); break; diff --git a/sfeed_mbox.c b/sfeed_mbox.c index b5e7e3d..c00971f 100644 --- a/sfeed_mbox.c +++ b/sfeed_mbox.c @@ -37,6 +37,8 @@ escapefrom: for (; *s; s++) { switch (*s) { case '\\': + if (*(s + 1) == '\0') + break; s++; switch (*s) { case 'n': |