Closed jphickey closed 1 year ago
Dug deeper into this, and found the problem is not related to the buffer size as I had originally thought. Although that is a definite issue as well, in this case the LongDescription
that triggered the segfault was only about 3KB in length.
The real issue causing the segfault was due to the fact that the description had some embedded HTML tags in it (<i>
in this case) and these were not well tested. In this case the tag had no attributes, so the xml_attrs
table was (correctly) nil. However the "recreate_xml" implementation did not check for a nil argument, and attempted to traverse the table, which is where the segfault occurred.
Subsequent PR will fix both processing issues (8k length + nil attributes)
This is similar in nature to #29 that was recently fixed, in that when parsing the
LongDescription
element, the code uses aluaL_Buffer
object to temporarily hold the text. Unfortunately, this object is only 8KB in size by default (compile-time constant) and the Lua library does not protect against overrunning this buffer when using this object.As a result, if an EDS has a verbose
LongDescription
where the text of this element exceeds 8KB, a segfault occurs when parsing it.This likely needs to be changed to use a
malloc()
buffer for holding the text in order to accommodate longer elements.