Fix buffer overflow in named entity parsing.

ChatSecure · Nov 2, 2016 · 7260098 · 7260098
1 parent e7d13e2
commit 7260098
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Change Log
 
+## Unreleased
+
+* Fix buffer overlow when parsing named entities.
+    * This would happen when attempting to parse the first semicolonless named entity `AElig`.
+
 ## [2.0][]
 
 * Fix `HTMLElement`'s subscripting abilities not getting bridged into Swift (issue #59 revisited).

diff --git a/Sources/HTMLEntities.m b/Sources/HTMLEntities.m
@@ -2341,13 +2341,13 @@ static int (^NamedMapPrefixComparator)() = ^int(const void *voidKey, const void
     NamedReferenceMap *nearbyItem = bsearch_b((__bridge void *)search, NamedSemicolonlessReferences, count, sizeof(NamedReferenceMap), NamedMapPrefixComparator);
     if (!nearbyItem) return nil;
     NamedReferenceMap *longestPrefixItem = nearbyItem;
-    for (NamedReferenceMap *item = nearbyItem - 1; item >= NamedReferences; item--) {
+    for (NamedReferenceMap *item = nearbyItem - 1; item >= NamedSemicolonlessReferences; item--) {
         if (![item->name hasPrefix:nearbyItem->name]) break;
         if ([search hasPrefix:item->name] && item->name.length > longestPrefixItem->name.length) {
             longestPrefixItem = item;
         }
     }
-    for (NamedReferenceMap *item = nearbyItem + 1; item < NamedReferences + count; item++) {
+    for (NamedReferenceMap *item = nearbyItem + 1; item < NamedSemicolonlessReferences + count; item++) {
         if (![item->name hasPrefix:nearbyItem->name]) break;
         if ([search hasPrefix:item->name] && item->name.length > longestPrefixItem->name.length) {
             longestPrefixItem = item;