diff options
author | Eric Wong <normalperson@yhbt.net> | 2011-07-21 03:24:54 +0000 |
---|---|---|
committer | Lars Hjemli <hjemli@gmail.com> | 2011-07-21 14:21:52 +0000 |
commit | 9cae75d040d9102d4b628ba3c828d95d0251f5c0 (patch) | |
tree | 90dd85a1ebcb0c8731bb02823b9d3707e873945d | |
parent | 877ff681007f31c69777e9569c4de819d4af19c9 (diff) | |
download | cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.tar.gz cgit-9cae75d040d9102d4b628ba3c828d95d0251f5c0.zip |
html.c: avoid out-of-bounds access for url_escape_table
This fixes a segfault for me with with -O2 optimization on x86
with gcc (Debian 4.4.5-8) 4.4.5
I can reliably reproduce it with the following parameters
when pointed to the git.git repository:
PATH_INFO='/git-core.git/diff/'
QUERY_STRING='id=2b93bfac0f5bcabbf60f174f4e7bfa9e318e64d5&id2=d6da71a9d16b8cf27f9d8f90692d3625c849cbc8'
Signed-off-by: Eric Wong <normalperson@yhbt.net>
Signed-off-by: Lars Hjemli <hjemli@gmail.com>
-rw-r--r-- | html.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -162,7 +162,7 @@ void html_url_path(const char *txt) { const char *t = txt; while(t && *t){ - int c = *t; + unsigned char c = *t; const char *e = url_escape_table[c]; if (e && c!='+' && c!='&') { html_raw(txt, t - txt); @@ -179,7 +179,7 @@ void html_url_arg(const char *txt) { const char *t = txt; while(t && *t){ - int c = *t; + unsigned char c = *t; const char *e = url_escape_table[c]; if (c == ' ') e = "+"; |