1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
|
From: =?utf-8?q?H=C3=A5vard_Flaget_Aasen?= <haavard_aasen@yahoo.no>
Date: Thu, 3 Jun 2021 21:15:52 +0200
Subject: CVE-2021-26948
Fix crash bug with data: URIs (Issue #410)
Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/008861d8339c6ec777e487770b70b95b1ed0c1d2
Bug: https://github.com/michaelrsweet/htmldoc/issues/410
Bug-Debian: https://bugs.debian.org/989437
---
htmldoc/file.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/htmldoc/file.c
+++ b/htmldoc/file.c
@@ -586,11 +586,13 @@
*/
for (i = 0; i < (int)web_files; i ++)
+ {
if (strcmp(s, web_cache[i].name) == 0)
{
DEBUG_printf(("file_find: Returning cache file \"%s\"!\n", s));
return (s);
}
+ }
DEBUG_printf(("file_find: \"%s\" not in web cache of %d files...\n", s, (int)web_files));
@@ -599,11 +601,14 @@
*/
if (strchr(s, '%') == NULL)
+ {
strlcpy(basename, s, sizeof(basename));
+ }
else
{
for (sptr = s, temp = basename;
*sptr && temp < (basename + sizeof(basename) - 1);)
+ {
if (*sptr == '%' && isxdigit(sptr[1]) && isxdigit(sptr[2]))
{
/*
@@ -626,6 +631,7 @@
}
else
*temp++ = *sptr++;
+ }
*temp = '\0';
}
@@ -880,7 +886,9 @@
const char * /* O - Method string ("http", "ftp", etc.) */
file_method(const char *s) /* I - Filename or URL */
{
- if (strncmp(s, "http:", 5) == 0)
+ if (strncmp(s, "data:", 5) == 0)
+ return ("data");
+ else if (strncmp(s, "http:", 5) == 0)
return ("http");
else if (strncmp(s, "https:", 6) == 0)
return ("https");
|