From f132f5df437b0fbdef73899943da56ae810f9f1f Mon Sep 17 00:00:00 2001 From: Tor Andersson Date: Sat, 24 Nov 2012 14:30:55 +0100 Subject: xps: Fix potential off-by-one buffer overwrite in XML parser. --- xps/xps_xml.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xps/xps_xml.c b/xps/xps_xml.c index e89a24d2..fd7f6805 100644 --- a/xps/xps_xml.c +++ b/xps/xps_xml.c @@ -165,8 +165,8 @@ static void xml_emit_open_tag(struct parser *parser, char *a, char *b) struct element *head, *tail; head = fz_malloc_struct(parser->ctx, struct element); - if (b - a > sizeof(head->name)) - b = a + sizeof(head->name); + if (b - a > sizeof(head->name) - 1) + b = a + sizeof(head->name) - 1; memcpy(head->name, a, b - a); head->name[b - a] = 0; @@ -195,8 +195,8 @@ static void xml_emit_att_name(struct parser *parser, char *a, char *b) struct attribute *att; att = fz_malloc_struct(parser->ctx, struct attribute); - if (b - a > sizeof(att->name)) - b = a + sizeof(att->name); + if (b - a > sizeof(att->name) - 1) + b = a + sizeof(att->name) - 1; memcpy(att->name, a, b - a); att->name[b - a] = 0; att->value = NULL; -- cgit v1.2.3