I find that the above sequence will not be handled corrently by the 'unesc' command:
echo '"' | xmlstarlet unesc entity name too long: " "
It looks to me like the length check is one-off. The patch below works for me, but not 100% sure that it doesn't create a buffer overrun.
--- src/xml_escape.c.orig 2021-01-09 11:26:11.363863708 +0100 +++ src/xml_escape.c 2021-01-09 11:26:17.678959009 +0100 @@ -222,7 +222,7 @@ semicolon_off++; } entity_len = semicolon_off - i; - if (entity_len < MAX_ENTITY_NAME) { + if (entity_len <= MAX_ENTITY_NAME) { memcpy(entity, &str[i], entity_len); entity[entity_len] = '\0'; if (str[semicolon_off] == ';') {
Log in to post a comment.
I find that the above sequence will not be handled corrently by the 'unesc' command:
It looks to me like the length check is one-off. The patch below works for me, but not 100% sure that it doesn't create a buffer overrun.
--- src/xml_escape.c.orig 2021-01-09 11:26:11.363863708 +0100
+++ src/xml_escape.c 2021-01-09 11:26:17.678959009 +0100
@@ -222,7 +222,7 @@
semicolon_off++;
}
entity_len = semicolon_off - i;
- if (entity_len < MAX_ENTITY_NAME) {
+ if (entity_len <= MAX_ENTITY_NAME) {
memcpy(entity, &str[i], entity_len);
entity[entity_len] = '\0';
if (str[semicolon_off] == ';') {