bug-wget
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] Wget css links parse bug

From: x86
Subject: [Bug-wget] Wget css links parse bug
Date: Wed, 06 Oct 2010 12:49:45 +0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.7) Gecko/20100811 Thunderbird/3.1.1 
 Hello, while using wget i found this little bug in css-url.c file.
If wget running in crawler mode and try to parse this page:

 1 <html>
 2 <body>
 3 <div style="background: url( )">
If there is a one space between () wget seg faults while doing strncpy(,,-1). And if there is two or more spaces - wget fail with "memory exhaust". Corresponding code: 
111 char *
112 get_uri_string (const char *at, int *pos, int *length)
113 {
114   char *uri;
115   /*char buf[1024];
116   strncpy(buf,at + *pos, *length);
117   buf[*length] = '\0';
118   DEBUGP (("get_uri_string: \"%s\"\n", buf));*/
119
120   if (0 != strncasecmp (at + *pos, "url(", 4))
121     return NULL;
122
123   *pos += 4;
124   *length -= 5; /* url() */
125   /* skip leading space */
126   while (isspace (at[*pos]))
127     {
128     (*pos)++;
129     (*length)--;
130     }
131   /* skip trailing space */
132 while (isspace (at[*pos + *length - 1])) // BUG this loop makes *length eq -1 or less 
133     {
134       (*length)--;
135     }
136   /* trim off quotes */
137   if (at[*pos] == '\'' || at[*pos] == '"')
138     {
139       (*pos)++;
140       *length -= 2;
141     }
142
143   uri = xmalloc (*length + 1); // this alloc chunk of size 0, or dies
144   if (uri)
145     {
146 strncpy (uri, at + *pos, *length); // this copy buffer to chunk of size 0, and try to pad rest space with 0, and seg faults 
147       uri[*length] = '\0';
148     }
149
150   return uri;
151 }

Currently i using this patch:
--- css-url.c   2010-10-02 15:14:00.000000000 +0400
+++ css-url.c2  2010-10-06 11:35:21.000000000 +0400
@@ -123,13 +123,13 @@
   *pos += 4;
   *length -= 5; /* url() */
   /* skip leading space */
-  while (isspace (at[*pos]))
+  while (*length > 0 && isspace (at[*pos]))
     {
     (*pos)++;
     (*length)--;
     }
   /* skip trailing space */
-  while (isspace (at[*pos + *length - 1]))
+  while (*length > 0 && isspace (at[*pos + *length - 1]))
     {
       (*length)--;
     }
@@ -139,6 +139,8 @@
       (*pos)++;
       *length -= 2;
     }
+  if(*length <= 0)
+       return NULL;

   uri = xmalloc (*length + 1);
   if (uri)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]