Commit 06c51cdf9302967be1547a00fa449d9889ab4666
2011-05-23T18:01:24
Prevent size_t overflow in evhttp_htmlescape. Modified the `html_replace' function so that it returns the length of the replacement string instead of the string itself. This is used to easily check for overflows of the `new_size' variable in the first for loop of the `evhttp_htmlescape' function, and thus potential out of bounds writes in the second for loop (if an overflow occurs in new_size, then new_size < old_size). Also check that new_size + 1 doesn't overflow in mm_malloc(new_size + 1). Removed the `scratch_space' variable from the `evhttp_htmlescape' function since it wasn't actually used; also removed the `buf' variable from the `evhttp_htmlescape' function since it was only used by `scratch_space'.