[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: kdelibs/khtml/xml
From: Andrew Coles <andrew_coles () yahoo ! co ! uk>
Date: 2004-10-19 15:13:33
Message-ID: 20041019151333.F02EE16C7B () office ! kde ! org
[Download RAW message or body]
CVS commit by coles:
Corrected several memory errors arising when viewing a deliberately mangled
HTML document. In particular:
- do not assume the size of a QChar is 1 byte
- attempting to run a single '%' character through parseLength resulting
in accessing invalid memory
- toLengthArray made more robust to erroneous input: now splits string
using standard QStringList method
M +25 -13 dom_stringimpl.cpp 1.52
--- kdelibs/khtml/xml/dom_stringimpl.cpp #1.51:1.52
@@ -29,4 +29,5 @@
#include <string.h>
+#include <qstringlist.h>
using namespace DOM;
@@ -156,7 +157,8 @@ DOMStringImpl *DOMStringImpl::substring(
}
-static Length parseLength(QChar *s, unsigned int l)
+static Length parseLength(const QChar *s, unsigned int l)
{
- const QChar* last = s+l-1;
+
+ const QChar* last = &(s[l-1]);
if (l && *last == QChar('%')) {
// CSS allows one decimal after the point, like
@@ -163,7 +165,9 @@ static Length parseLength(QChar *s, unsi
// 42.2%, but not 42.22%
// we ignore the non-integer part for speed/space reasons
+
int i = QConstString(s, l).string().findRev('.');
- if ( i >= 0 && i < (int)l-1 )
+ if ( i >= 0 && i < (int)l-1 ) {
l = i + 1;
+ }
bool ok;
@@ -174,9 +178,13 @@ static Length parseLength(QChar *s, unsi
// in case of weird constructs like 5*%
- last--;
+ last-=sizeof(QChar);
l--;
}
- if ( *last == '*') {
+ if (l == 0) { // if the string passed is just a single % character this prevents \
accessing invalid memory + return Length(0, Variable);
+ }
+
+ if ( *last == QChar('*')) {
if(last == s)
return Length(1, Relative);
@@ -200,6 +209,5 @@ khtml::Length* DOMStringImpl::toLengthAr
{
QString str(s, l);
- int pos = 0;
- int pos2;
+
// web authors are so stupid. This is a workaround
@@ -215,13 +224,16 @@ khtml::Length* DOMStringImpl::toLengthAr
str = str.simplifyWhiteSpace();
- len = str.contains(' ') + 1;
+ QStringList segments = QStringList::split(QString(" "), str);
+
+ len = segments.size();
khtml::Length* r = new khtml::Length[len];
+
int i = 0;
- while((pos2 = str.find(' ', pos)) != -1)
- {
- r[i++] = parseLength((QChar *) str.unicode()+pos, pos2-pos);
- pos = pos2+1;
+
+ for ( QStringList::Iterator it = segments.begin(); it != segments.end(); ++it, \
++i ) { + const QChar* const startPtr = (*it).unicode();
+ const unsigned int l = (*it).length();
+ r[i] = parseLength(startPtr, l);
}
- r[i] = parseLength((QChar *) str.unicode()+pos, str.length()-pos);
return r;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic