Permalink
Browse files

Fix an off by one pointer access

getting out of the range of memory allocated for xpointer decoding
  • Loading branch information...
1 parent fc74a6f commit d8e1faeaa99c7a7c07af01c1c72de352eb590a3e Jüri Aedla committed with veillard May 7, 2012
Showing with 4 additions and 11 deletions.
  1. +4 −11 xpointer.c
View
@@ -1007,21 +1007,14 @@ xmlXPtrEvalXPtrPart(xmlXPathParserContextPtr ctxt, xmlChar *name) {
NEXT;
break;
}
- *cur++ = CUR;
} else if (CUR == '(') {
level++;
- *cur++ = CUR;
} else if (CUR == '^') {
- NEXT;
- if ((CUR == ')') || (CUR == '(') || (CUR == '^')) {
- *cur++ = CUR;
- } else {
- *cur++ = '^';
- *cur++ = CUR;
- }
- } else {
- *cur++ = CUR;
+ if ((NXT(1) == ')') || (NXT(1) == '(') || (NXT(1) == '^')) {
+ NEXT;
+ }
}
+ *cur++ = CUR;
NEXT;
}
*cur = 0;

0 comments on commit d8e1fae

Please sign in to comment.