diff options
| author | John Mark Bell <jmb@netsurf-browser.org> | 2011-11-05 18:36:21 +0000 |
|---|---|---|
| committer | John Mark Bell <jmb@netsurf-browser.org> | 2011-11-05 18:36:21 +0000 |
| commit | 30c91aa4e7939033c1798c93527d19b6e2c554b0 (patch) | |
| tree | decad34821df191d4ed6edb1751827fc5f071667 /render | |
| parent | 044fec706f2ea5a074f76f739532986e73f915a6 (diff) | |
| download | netsurf-30c91aa4e7939033c1798c93527d19b6e2c554b0.tar.gz netsurf-30c91aa4e7939033c1798c93527d19b6e2c554b0.tar.bz2 | |
Fix bug #3433787: ignore empty meta refresh content attribute.
Squash memory leaks in error cases.
svn path=/trunk/netsurf/; revision=13127
Diffstat (limited to 'render')
| -rw-r--r-- | render/html.c | 36 |
1 files changed, 28 insertions, 8 deletions
diff --git a/render/html.c b/render/html.c index 72daa1a11..dfd63f3aa 100644 --- a/render/html.c +++ b/render/html.c @@ -933,13 +933,13 @@ bool html_meta_refresh(html_content *c, xmlNode *head) nsurl *nsurl; nserror error; - for (n = head == 0 ? 0 : head->children; n; n = n->next) { + for (n = head == NULL ? NULL : head->children; n; n = n->next) { if (n->type != XML_ELEMENT_NODE) continue; /* Recurse into noscript elements */ if (strcmp((const char *) n->name, "noscript") == 0) { - if (!html_meta_refresh(c, n)) { + if (html_meta_refresh(c, n) == false) { /* Some error occurred */ return false; } else if (c->base.refresh) { @@ -948,15 +948,15 @@ bool html_meta_refresh(html_content *c, xmlNode *head) } } - if (strcmp((const char *) n->name, "meta")) { + if (strcmp((const char *) n->name, "meta") != 0) { continue; } equiv = xmlGetProp(n, (const xmlChar *) "http-equiv"); - if (!equiv) + if (equiv == NULL) continue; - if (strcasecmp((const char *) equiv, "refresh")) { + if (strcasecmp((const char *) equiv, "refresh") != 0) { xmlFree(equiv); continue; } @@ -964,7 +964,7 @@ bool html_meta_refresh(html_content *c, xmlNode *head) xmlFree(equiv); content = xmlGetProp(n, (const xmlChar *) "content"); - if (!content) + if (content == NULL) continue; end = (char *) content + strlen((const char *) content); @@ -980,8 +980,21 @@ bool html_meta_refresh(html_content *c, xmlNode *head) * nonascii := [#x80-#xD7FF#xE000-#xFFFD#x10000-#x10FFFF] */ - /* *LWS intpart */ - msg_data.delay = (int)strtol((char *) content, &url, 10); + url = (char *) content; + + /* *LWS */ + while (url < end && isspace(*url)) { + url++; + } + + /* intpart */ + if (url == end || (*url < '0' || '9' < *url)) { + /* Empty content, or invalid timeval */ + xmlFree(content); + continue; + } + + msg_data.delay = (int) strtol(url, &url, 10); /* a very small delay and self-referencing URL can cause a loop * that grinds machines to a halt. To prevent this we set a * minimum refresh delay of 1s. */ @@ -1026,10 +1039,12 @@ bool html_meta_refresh(html_content *c, xmlNode *head) url += 3; } else { /* Unexpected input, ignore this header */ + xmlFree(content); continue; } } else { /* Insufficient input, ignore this header */ + xmlFree(content); continue; } @@ -1044,10 +1059,12 @@ bool html_meta_refresh(html_content *c, xmlNode *head) url++; } else { /* Unexpected input, ignore this header */ + xmlFree(content); continue; } } else { /* Insufficient input, ignore this header */ + xmlFree(content); continue; } @@ -1081,9 +1098,12 @@ bool html_meta_refresh(html_content *c, xmlNode *head) error = nsurl_join(c->base_url, refresh, &nsurl); if (error != NSERROR_OK) { + xmlFree(content); + msg_data.error = messages_get("NoMemory"); content_broadcast(&c->base, CONTENT_MSG_ERROR, msg_data); + return false; } |