From 0dd8f84c027ed56deab73e88a35049e24ef0b4e4 Mon Sep 17 00:00:00 2001
From: John Mark Bell <jmb@netsurf-browser.org>
Date: Tue, 6 Jan 2009 12:39:56 +0000
Subject: Fix potential read beyond available input data when processing \r in
 some states. What happened was that, given \rabc, we would advance past the
 \r, then read at current_offset + len (len == 1). I.E. read 'b' instead of
 'a'. If the data in the inputstream's internal buffer happened to end
 immediately after the \r, then we'd read past the end of the buffer thanks to
 a bug in lpu_inputstream_peek which was fixed in r5965. In any case, we'd
 still be looking at the wrong character when looking for CRLF pairs.

All regression tests now pass again.

svn path=/trunk/hubbub/; revision=5967
---
 src/tokeniser/tokeniser.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/tokeniser/tokeniser.c b/src/tokeniser/tokeniser.c
index 7bb53aa..6ffa8b7 100644
--- a/src/tokeniser/tokeniser.c
+++ b/src/tokeniser/tokeniser.c
@@ -1708,7 +1708,7 @@ hubbub_error hubbub_tokeniser_handle_bogus_comment(hubbub_tokeniser *tokeniser)
 	} else if (c == '\r') {
 		error = parserutils_inputstream_peek(
 				tokeniser->input,
-				tokeniser->context.pending + len, //XXX
+				tokeniser->context.pending,
 				&cptr,
 				&len);
 
@@ -2224,7 +2224,7 @@ hubbub_error hubbub_tokeniser_handle_doctype_public_dq(
 	} else if (c == '\r') {
 		error = parserutils_inputstream_peek(
 				tokeniser->input,
-				tokeniser->context.pending + len, ///XXX
+				tokeniser->context.pending,
 				&cptr,
 				&len);
 
@@ -2274,7 +2274,7 @@ hubbub_error hubbub_tokeniser_handle_doctype_public_sq(
 	} else if (c == '\r') {
 		error = parserutils_inputstream_peek(
 				tokeniser->input,
-				tokeniser->context.pending + len, //XXX
+				tokeniser->context.pending,
 				&cptr,
 				&len);
 
@@ -2468,7 +2468,7 @@ hubbub_error hubbub_tokeniser_handle_doctype_system_dq(
 	} else if (c == '\r') {
 		error = parserutils_inputstream_peek(
 				tokeniser->input,
-				tokeniser->context.pending + len, //XXX
+				tokeniser->context.pending,
 				&cptr,
 				&len);
 
@@ -2518,7 +2518,7 @@ hubbub_error hubbub_tokeniser_handle_doctype_system_sq(
 	} else if (c == '\r') {
 		error = parserutils_inputstream_peek(
 				tokeniser->input,
-				tokeniser->context.pending + len, //XXX
+				tokeniser->context.pending,
 				&cptr,
 				&len);
 
-- 
cgit v1.2.3