On Mon, May 23, 2011 at 6:07 PM, Nick Mathewson <ni...@freehaven.net> wrote: > On Mon, May 23, 2011 at 5:54 PM, Mansour Moufid <mansourmou...@gmail.com> > wrote: >> A couple changes in the file `http.c'. >> >> Removed the `scratch_space' variable from the `evhttp_htmlescape' >> function since it wasn't actually used; also removed the `buf' >> variable from the `evhttp_htmlescape' function since it was only used >> by `scratch_space'. >> >> Modified the `html_replace' function so that it returns the length of >> the replacement string instead of the string itself. This is used to >> easily check for overflows of the `new_size' variable in the first for >> loop of the `evhttp_htmlescape' function, and thus potential out of >> bounds writes in the second for loop (if an overflow occurs in >> new_size, then new_size < old_size). Also check that new_size + 1 >> doesn't overflow in mm_malloc(new_size + 1). > > I like it, except for all the 'if (escaped != NULL)' checks: > assignments are much cheaper than branches, so let's just always pass > in a pointer for "escaped". > > Alternative patch attached: looks ok?
Looks great to me! *********************************************************************** To unsubscribe, send an e-mail to majord...@freehaven.net with unsubscribe libevent-users in the body.
