153aa9179Sopenharmony_ciFrom d58bff6125f066689a872113123152fdcfe693cc Mon Sep 17 00:00:00 2001 253aa9179Sopenharmony_ciFrom: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk> 353aa9179Sopenharmony_ciDate: Thu, 1 Dec 2022 12:53:15 +0000 453aa9179Sopenharmony_ciSubject: [PATCH 27/28] Avoid creating an out-of-bounds pointer by rewriting a 553aa9179Sopenharmony_ci check 653aa9179Sopenharmony_ci 753aa9179Sopenharmony_ciCreating more than one-past-the-end pointers is undefined behaviour in C 853aa9179Sopenharmony_ciand while this code is unlikely to be miscompiled, I discovered that an 953aa9179Sopenharmony_ciout-of-bounds pointer is being created using UBSan on a CHERI-enabled 1053aa9179Sopenharmony_cisystem. 1153aa9179Sopenharmony_ci 1253aa9179Sopenharmony_ciReference: https://github.com/GNOME/libxml2/commit/c715ded0861af956ba584f566bc7db6717f519d0 1353aa9179Sopenharmony_ciConflict: NA 1453aa9179Sopenharmony_ci--- 1553aa9179Sopenharmony_ci HTMLparser.c | 2 +- 1653aa9179Sopenharmony_ci 1 file changed, 1 insertion(+), 1 deletion(-) 1753aa9179Sopenharmony_ci 1853aa9179Sopenharmony_cidiff --git a/HTMLparser.c b/HTMLparser.c 1953aa9179Sopenharmony_ciindex 746edf6..60dea30 100644 2053aa9179Sopenharmony_ci--- a/HTMLparser.c 2153aa9179Sopenharmony_ci+++ b/HTMLparser.c 2253aa9179Sopenharmony_ci@@ -2333,7 +2333,7 @@ htmlEncodeEntities(unsigned char* out, int *outlen, 2353aa9179Sopenharmony_ci else 2453aa9179Sopenharmony_ci cp = ent->name; 2553aa9179Sopenharmony_ci len = strlen(cp); 2653aa9179Sopenharmony_ci- if (out + 2 + len > outend) 2753aa9179Sopenharmony_ci+ if (outend - out < len + 2) 2853aa9179Sopenharmony_ci break; 2953aa9179Sopenharmony_ci *out++ = '&'; 3053aa9179Sopenharmony_ci memcpy(out, cp, len); 3153aa9179Sopenharmony_ci-- 3253aa9179Sopenharmony_ci2.27.0 3353aa9179Sopenharmony_ci 34