'kdelibs/khtml/xml'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    kdelibs/khtml/xml
From:       Andrew Coles <andrew_coles () yahoo ! co ! uk>
Date:       2004-10-19 15:13:33
Message-ID: 20041019151333.F02EE16C7B () office ! kde ! org
[Download RAW message or body]

CVS commit by coles: 



Corrected several memory errors arising when viewing a deliberately mangled
HTML document.  In particular:

- do not assume the size of a QChar is 1 byte

- attempting to run a single '%' character through parseLength resulting
  in accessing invalid memory 

- toLengthArray made more robust to erroneous input: now splits string
  using standard QStringList method


  M +25 -13    dom_stringimpl.cpp   1.52


--- kdelibs/khtml/xml/dom_stringimpl.cpp  #1.51:1.52
@@ -29,4 +29,5 @@
 
 #include <string.h>
+#include <qstringlist.h>
 
 using namespace DOM;
@@ -156,7 +157,8 @@ DOMStringImpl *DOMStringImpl::substring(
 }
 
-static Length parseLength(QChar *s, unsigned int l)
+static Length parseLength(const QChar *s, unsigned int l)
 {
-    const QChar* last = s+l-1;
+
+    const QChar* last = &(s[l-1]);
     if (l && *last == QChar('%')) {
         // CSS allows one decimal after the point, like
@@ -163,7 +165,9 @@ static Length parseLength(QChar *s, unsi
         //  42.2%, but not 42.22%
         // we ignore the non-integer part for speed/space reasons
+
         int i = QConstString(s, l).string().findRev('.');
-        if ( i >= 0 && i < (int)l-1 )
+        if ( i >= 0 && i < (int)l-1 ) {
             l = i + 1;
+        }
 
         bool ok;
@@ -174,9 +178,13 @@ static Length parseLength(QChar *s, unsi
 
         // in case of weird constructs like 5*%
-        last--;
+        last-=sizeof(QChar);
         l--;
     }
 
-    if ( *last == '*') {
+    if (l == 0) { // if the string passed is just a single % character this prevents \
accessing invalid memory +        return Length(0, Variable);
+    }
+
+    if ( *last == QChar('*')) {
         if(last == s)
             return Length(1, Relative);
@@ -200,6 +209,5 @@ khtml::Length* DOMStringImpl::toLengthAr
 {
     QString str(s, l);
-    int pos = 0;
-    int pos2;
+
 
     // web authors are so stupid. This is a workaround
@@ -215,13 +224,16 @@ khtml::Length* DOMStringImpl::toLengthAr
     str = str.simplifyWhiteSpace();
 
-    len = str.contains(' ') + 1;
+    QStringList segments = QStringList::split(QString(" "), str);
+
+    len = segments.size();
     khtml::Length* r = new khtml::Length[len];
+
     int i = 0;
-    while((pos2 = str.find(' ', pos)) != -1)
-    {
-        r[i++] = parseLength((QChar *) str.unicode()+pos, pos2-pos);
-        pos = pos2+1;
+
+    for ( QStringList::Iterator it = segments.begin(); it != segments.end(); ++it, \
++i ) { +        const QChar* const startPtr = (*it).unicode();
+        const unsigned int l = (*it).length();
+        r[i] = parseLength(startPtr, l);
     }
-    r[i] = parseLength((QChar *) str.unicode()+pos, str.length()-pos);
 
     return r;


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic