Fix potential heap underflow with empty attributes (Issue #464)

michaelrsweet · Jan 12, 2022 · 14f0d31 · 14f0d31
1 parent fa17acd
commit 14f0d31
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 25 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -3,6 +3,7 @@
 - Fixed a potential heap overflow bug with GIF images (Issue #461)
 - Fixed a potential double-free bug with PNG images (Issue #462)
 - Fixed a potential stack overflow bug with GIF images (Issue #463)
+- Fixed a potential heap underflow bug with empty attributes (Issue #464)
 
 
 # Changes in HTMLDOC v1.9.14

diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
@@ -5507,9 +5507,7 @@ parse_pre(tree_t *t,		/* I - Tree to parse */
       if (flat->height > height)
         height = flat->height;
 
-      if (flat->markup == MARKUP_BR ||
-          (flat->markup == MARKUP_NONE && flat->data &&
-	   flat->data[strlen((char *)flat->data) - 1] == '\n'))
+      if (flat->markup == MARKUP_BR || (flat->markup == MARKUP_NONE && flat->data && flat->data[0] && flat->data[strlen((char *)flat->data) - 1] == '\n'))
         break;
     }
 
@@ -5953,7 +5951,7 @@ render_table_row(hdtable_t &table,
 	      break;
     }
 
-    if (height_var != NULL)
+    if (height_var != NULL && *height_var)
     {
       // Hardcode the row height...
       if (height_var[strlen((char *)height_var) - 1] == '%')
@@ -6395,7 +6393,7 @@ parse_table(tree_t *t,			// I - Tree to parse
 
   cells = NULL;
 
-  if ((var = htmlGetVariable(t, (uchar *)"WIDTH")) != NULL)
+  if ((var = htmlGetVariable(t, (uchar *)"WIDTH")) != NULL && *var)
   {
     if (var[strlen((char *)var) - 1] == '%')
       table_width = (float)(atof((char *)var) * (right - left) / 100.0f);
@@ -6408,7 +6406,7 @@ parse_table(tree_t *t,			// I - Tree to parse
   else
     table_width = right - left;
 
-  if ((var = htmlGetVariable(t, (uchar *)"HEIGHT")) != NULL)
+  if ((var = htmlGetVariable(t, (uchar *)"HEIGHT")) != NULL && *var)
   {
     if (var[strlen((char *)var) - 1] == '%')
       table.height = (float)(atof((char *)var) * (top - bottom) / 100.0f);
@@ -6614,7 +6612,7 @@ parse_table(tree_t *t,			// I - Tree to parse
 
           // Compute the cell size...
           col_width = get_cell_size(tempcol, 0.0f, table_width, &col_min, &col_pref, &col_height);
-          if ((var = htmlGetVariable(tempcol, (uchar *)"WIDTH")) != NULL)
+          if ((var = htmlGetVariable(tempcol, (uchar *)"WIDTH")) != NULL && *var)
 	  {
 	    if (var[strlen((char *)var) - 1] == '%')
 	    {
@@ -6724,7 +6722,7 @@ parse_table(tree_t *t,			// I - Tree to parse
   * Now figure out the width of the table...
   */
 
-  if ((var = htmlGetVariable(t, (uchar *)"WIDTH")) != NULL)
+  if ((var = htmlGetVariable(t, (uchar *)"WIDTH")) != NULL && *var)
   {
     if (var[strlen((char *)var) - 1] == '%')
       width = (float)(atof((char *)var) * (right - left) / 100.0f);
@@ -7070,7 +7068,7 @@ parse_table(tree_t *t,			// I - Tree to parse
     if (height_var != NULL && row == header_row)
       header_height_var = height_var;
 
-    if (cells[row][0] != NULL && height_var != NULL)
+    if (cells[row][0] != NULL && height_var != NULL && *height_var)
     {
       // Row height specified; make sure it'll fit...
       if (height_var[strlen((char *)height_var) - 1] == '%')
@@ -9056,8 +9054,7 @@ get_cell_size(tree_t *t,		// I - Cell
                 (void *)t, left, right, (void *)minwidth, (void *)prefwidth, (void *)minheight));
 
   // First see if the width has been specified for this cell...
-  if ((var = htmlGetVariable(t, (uchar *)"WIDTH")) != NULL &&
-      (var[strlen((char *)var) - 1] != '%' || (right - left) > 0.0f))
+  if ((var = htmlGetVariable(t, (uchar *)"WIDTH")) != NULL && *var && (var[strlen((char *)var) - 1] != '%' || (right - left) > 0.0f))
   {
     // Yes, use it!
     if (var[strlen((char *)var) - 1] == '%')
@@ -9164,8 +9161,7 @@ get_cell_size(tree_t *t,		// I - Cell
 	    minw = temp->width;
 	  }
 
-          if (temp->preformatted && temp->data != NULL &&
-              temp->data[strlen((char *)temp->data) - 1] == '\n')
+          if (temp->preformatted && temp->data != NULL && temp->data[0] && temp->data[strlen((char *)temp->data) - 1] == '\n')
           {
 	    // End of a line - check preferred width...
 	    frag_pref += temp->width + 1;
@@ -9195,8 +9191,7 @@ get_cell_size(tree_t *t,		// I - Cell
 	  else
 	    frag_pref += temp->width;
 
-          if (temp->preformatted && temp->data != NULL &&
-              temp->data[strlen((char *)temp->data) - 1] == '\n')
+          if (temp->preformatted && temp->data != NULL && temp->data[0] &&  temp->data[strlen((char *)temp->data) - 1] == '\n')
 	  {
 	    // Check required width...
             frag_width += temp->width + 1;
@@ -9210,9 +9205,7 @@ get_cell_size(tree_t *t,		// I - Cell
 
             frag_width = 0.0f;
 	  }
-          else if (!temp->preformatted && temp->data != NULL &&
-	           (isspace(temp->data[0]) ||
-	 	    (temp->data[0] && isspace(temp->data[strlen((char *)temp->data) - 1]))))
+          else if (!temp->preformatted && temp->data != NULL && temp->data[0] && (isspace(temp->data[0]) || (temp->data[0] && isspace(temp->data[strlen((char *)temp->data) - 1]))))
 	  {
 	    // Check required width...
 	    if (isspace(temp->data[0]))
@@ -9387,8 +9380,7 @@ get_table_size(tree_t *t,		// I - Table
                 (void *)t, left, right, (void *)minwidth, (void *)prefwidth, (void *)minheight));
 
   // First see if the width has been specified for this table...
-  if ((var = htmlGetVariable(t, (uchar *)"WIDTH")) != NULL &&
-      (var[strlen((char *)var) - 1] != '%' || (right - left) > 0.0f))
+  if ((var = htmlGetVariable(t, (uchar *)"WIDTH")) != NULL && *var && (var[strlen((char *)var) - 1] != '%' || (right - left) > 0.0f))
   {
     // Yes, use it!
     if (var[strlen((char *)var) - 1] == '%')
@@ -9403,7 +9395,7 @@ get_table_size(tree_t *t,		// I - Table
   prefw = 0.0f;
 
   // Then the height...
-  if ((var = htmlGetVariable(t, (uchar *)"HEIGHT")) != NULL)
+  if ((var = htmlGetVariable(t, (uchar *)"HEIGHT")) != NULL && *var)
   {
     // Yes, use it!
     if (var[strlen((char *)var) - 1] == '%')
@@ -9689,7 +9681,7 @@ update_image_size(tree_t *t)	/* I - Tree entry */
   width  = htmlGetVariable(t, (uchar *)"WIDTH");
   height = htmlGetVariable(t, (uchar *)"HEIGHT");
 
-  if (width != NULL && height != NULL)
+  if (width != NULL && *width && height != NULL && *height)
   {
     if (width[strlen((char *)width) - 1] == '%')
       t->width = (float)(atof((char *)width) * PagePrintWidth / 100.0f);
@@ -9709,7 +9701,7 @@ update_image_size(tree_t *t)	/* I - Tree entry */
   if (img == NULL)
     return;
 
-  if (width != NULL)
+  if (width != NULL && *width)
   {
     if (width[strlen((char *)width) - 1] == '%')
       t->width = (float)(atof((char *)width) * PagePrintWidth / 100.0f);
@@ -9718,7 +9710,7 @@ update_image_size(tree_t *t)	/* I - Tree entry */
 
     t->height = t->width * img->height / img->width;
   }
-  else if (height != NULL)
+  else if (height != NULL && *height)
   {
     if (height[strlen((char *)height) - 1] == '%')
       t->height = (float)(atof((char *)height) * PagePrintWidth / 100.0f);
@@ -12487,7 +12479,7 @@ write_type1(FILE       *out,		/* I - File to write to */
     while (fgets(line, sizeof(line), fp) != NULL)
       fputs(line, out);
 
-    if (line[strlen(line) - 1] != '\n')
+    if (line[0] && line[strlen(line) - 1] != '\n')
       fputs("\n", out);
 
     fputs("%%EndResource\n", out);