shadowfacts
/
tree-sitter-html
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Correctly cast `name_length` 

`buffer[i++]` is a `signed char` so this cast does not correctly handle
negative values. If a custom tag has a length greater than 128 then
`buffer[i++]` is negative and so the `(uint16_t)` cast will cast it to a large
unsigned integer. This causes an out-of-bound read when reading the tag name.

We need to cast `name_length` to a `uint8_t` first, then widen to a `uint16_t`.
This commit is contained in:
Phil Turnbull 2019-02-26 11:55:24 -05:00
parent faa7edc877
commit 76f96c5979
No known key found for this signature in database
GPG Key ID: D81B30C00789D262
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/scanner.cc
View File

@ -71,7 +71,7 @@ struct Scanner {
Tag &tag = tags[j];
tag.type = static_cast<TagType>(buffer[i++]);
if (tag.type == CUSTOM) {
uint16_t name_length = (uint16_t)buffer[i++];
uint16_t name_length = static_cast<uint8_t>(buffer[i++]);
tag.custom_tag_name.assign(&buffer[i], &buffer[i + name_length]);
i += name_length;
}