From eb8d6cf63815bff6697ebc7ae1b83f998b6eab53 Mon Sep 17 00:00:00 2001 From: Hiltjo Posthuma Date: Thu, 13 Apr 2023 00:34:23 +0200 Subject: atom, json, mbox: fix reading past the buffer with an escaped NUL byte (\ NUL) This would skip checking the end of the string of checking a NUL byte, because the iteration was done before checking it. It would proceed into the data that comes after. Note that sfeed itself can't generate such malformed data itself. Example input: 0 title link content\ html Would incorrect print "contenthtml" as the content. --- sfeed_atom.c | 2 ++ sfeed_json.c | 2 ++ sfeed_mbox.c | 2 ++ 3 files changed, 6 insertions(+) diff --git a/sfeed_atom.c b/sfeed_atom.c index aeea2de..ace7d5a 100644 --- a/sfeed_atom.c +++ b/sfeed_atom.c @@ -22,6 +22,8 @@ printcontent(const char *s) case '&': fputs("&", stdout); break; case '"': fputs(""", stdout); break; case '\\': + if (*(s + 1) == '\0') + break; s++; switch (*s) { case 'n': putchar('\n'); break; diff --git a/sfeed_json.c b/sfeed_json.c index f6bb904..e177d2b 100644 --- a/sfeed_json.c +++ b/sfeed_json.c @@ -16,6 +16,8 @@ printcontent(const char *s) for (; *s; s++) { switch (*s) { case '\\': + if (*(s + 1) == '\0') + break; s++; switch (*s) { case 'n': fputs("\\n", stdout); break; diff --git a/sfeed_mbox.c b/sfeed_mbox.c index b5e7e3d..c00971f 100644 --- a/sfeed_mbox.c +++ b/sfeed_mbox.c @@ -37,6 +37,8 @@ escapefrom: for (; *s; s++) { switch (*s) { case '\\': + if (*(s + 1) == '\0') + break; s++; switch (*s) { case 'n': -- cgit v1.2.3