From 4ad59914e8a570d869f4e66540578cc3bdbc04eb Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@centraldogma>
Date: Mon, 10 Oct 2011 19:54:15 +0200
Subject: [PATCH] mothra: fix unicode buffer overflow and spurious select
 crash, webfs: dont rewrite relative url

---
 sys/src/cmd/mothra/forms.c  |  8 ++++++--
 sys/src/cmd/mothra/mothra.c |  2 --
 sys/src/cmd/mothra/rdhtml.c | 22 +++++++++++-----------
 sys/src/cmd/webfs/url.c     |  4 +++-
 4 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/sys/src/cmd/mothra/forms.c b/sys/src/cmd/mothra/forms.c
index 2c1e3b22b..9ce604efb 100644
--- a/sys/src/cmd/mothra/forms.c
+++ b/sys/src/cmd/mothra/forms.c
@@ -225,7 +225,7 @@ void rdform(Hglob *g){
 		break;
 	case Tag_option:
 		if(g->form==0) goto BadTag;
-		f=g->form->efields;
+		if((f=g->form->efields)==0) goto BadTag;
 		o=emallocz(sizeof(Option), 1);
 		for(op=&f->options;*op;op=&(*op)->next);
 		*op=o;
@@ -288,6 +288,8 @@ void rdform(Hglob *g){
  * Called by rdhtml on seeing a forms-related end tag
  */
 void endform(Hglob *g){
+	Field *f;
+
 	switch(g->tag){
 	case Tag_form:
 		g->form=0;
@@ -295,8 +297,10 @@ void endform(Hglob *g){
 	case Tag_select:
 		if(g->form==0)
 			htmlerror(g->name, g->lineno, "</select> not in form, ignored\n");
+		else if((f=g->form->efields)==0)
+			htmlerror(g->name, g->lineno, "spurious </select>\n");
 		else
-			pl_htmloutput(g, g->nsp, g->form->efields->name,g->form->efields);
+			pl_htmloutput(g, g->nsp, f->name, f);
 		break;
 	case Tag_textarea:
 		break;
diff --git a/sys/src/cmd/mothra/mothra.c b/sys/src/cmd/mothra/mothra.c
index 5620f3c32..b2fb2787f 100644
--- a/sys/src/cmd/mothra/mothra.c
+++ b/sys/src/cmd/mothra/mothra.c
@@ -1064,11 +1064,9 @@ mothon(Www *w, int on)
 			t->next = nil;
 			ap=mallocz(sizeof(Action), 1);
 			ap->link = strdup(a->link);
-			t->space += 4;
 			plrtstr(&t->next, 0, 0, t->font, strdup("->"), 1, ap);
 			t->next->next = x;
 		} else {
-			t->space -= 4;
 			t->next = x->next;
 			x->next = nil;
 			freetext(x);
diff --git a/sys/src/cmd/mothra/rdhtml.c b/sys/src/cmd/mothra/rdhtml.c
index fa3bbc8cc..6a8343f34 100644
--- a/sys/src/cmd/mothra/rdhtml.c
+++ b/sys/src/cmd/mothra/rdhtml.c
@@ -210,7 +210,7 @@ int pl_nextc(Hglob *g){
 	int c;
 	int n;
 	Rune r;
-	char crune[4];
+	char crune[UTFmax+1];
 	if(g->heof) return EOF;
 	if(g->npeekc!=0) return g->peekc[--g->npeekc];
 	c=pl_readc(g);
@@ -229,9 +229,8 @@ int pl_nextc(Hglob *g){
 	}
 	if(c=='>') return ETAG;
 	if(c==EOF) return c;
-	n=0;
-	for (;;){
-		crune[n++]=c;
+	for (n=1; n<=sizeof(crune); n++){
+		crune[n-1]=c;
 		if(fullrune(crune, n)){
 			chartorune(&r, crune);
 			return r;
@@ -437,7 +436,7 @@ int pl_gettag(Hglob *g){
 		return pl_getcomment(g);
 	pl_putback(g, c);
 	while((c=pl_nextc(g))!=ETAG && c!=EOF)
-		if(tokp!=&g->token[NTOKEN-3]) tokp += lrunetochar(tokp, c);
+		if(tokp < &g->token[NTOKEN-UTFmax-1]) tokp += lrunetochar(tokp, c);
 	*tokp='\0';
 	if(c==EOF) htmlerror(g->name, g->lineno, "EOF in tag");
 	pl_tagparse(g, g->token);
@@ -464,12 +463,12 @@ int pl_gettoken(Hglob *g){
 	default:
 		tokp=g->token;
 		while(c=='\t'){
-			if(tokp!=&g->token[NTOKEN-3]) tokp += lrunetochar(tokp, c);
+			if(tokp < &g->token[NTOKEN-UTFmax-1]) tokp += lrunetochar(tokp, c);
 			c=pl_nextc(g);
 		}
 		while(c!='\t' && c!='\n' && c!=STAG && c!=EOF){
 			if(c==ETAG) c='>';
-			if(tokp!=&g->token[NTOKEN-3]) tokp += lrunetochar(tokp, c);
+			if(tokp < &g->token[NTOKEN-UTFmax-1]) tokp += lrunetochar(tokp, c);
 			c=pl_nextc(g);
 		}
 		*tokp='\0';
@@ -489,7 +488,7 @@ int pl_gettoken(Hglob *g){
 		tokp=g->token;
 		do{
 			if(c==ETAG) c='>';
-			if(tokp!=&g->token[NTOKEN-3]) tokp += lrunetochar(tokp, c);
+			if(tokp < &g->token[NTOKEN-UTFmax-1]) tokp += lrunetochar(tokp, c);
 			c=pl_nextc(g);
 		}while(c!=' ' && c!='\t' && c!='\n' && c!=STAG && c!=EOF);
 		*tokp='\0';
@@ -518,19 +517,19 @@ void plaintext(Hglob *g){
 	int c;
 	g->state->font=CWIDTH;
 	g->state->size=NORMAL;
-	elp=&line[NLINE+1];
+	elp=&line[NLINE-UTFmax-1];
 	lp=line;
 	for(;;){
 		c=pl_readc(g);
 		if(c==EOF) break;
-		if(c=='\n' || lp==elp){
+		if(c=='\n' || lp>=elp){
 			*lp='\0';
 			g->linebrk=1;
 			pl_htmloutput(g, 0, line, 0);
 			lp=line;
 		}
 		if(c=='\t'){
-			do *lp++=' '; while(lp!=elp && utfnlen(line, lp-line)%8!=0);
+			do *lp++=' '; while(lp<elp && utfnlen(line, lp-line)%8!=0);
 		}
 		else if(c!='\n')
 			lp += lrunetochar(lp, c);
@@ -580,6 +579,7 @@ void plrdhtml(char *name, int fd, Www *dst){
 	Hglob g;
 	int t;
 	int tagerr;
+
 	g.state=g.stack;
 	g.state->tag=Tag_html;
 	g.state->font=ROMAN;
diff --git a/sys/src/cmd/webfs/url.c b/sys/src/cmd/webfs/url.c
index a82f3b020..d2f01612f 100644
--- a/sys/src/cmd/webfs/url.c
+++ b/sys/src/cmd/webfs/url.c
@@ -901,6 +901,8 @@ rewriteurl(Url *u)
 {
 	char *s;
 
+	if(u->scheme == nil)
+		return;
 	if(u->schemedata)
 		s = estrmanydup(u->scheme, ":", u->schemedata, nil);
 	else
@@ -909,7 +911,7 @@ rewriteurl(Url *u)
 			u->passwd ? ":" : "", u->passwd ? u->passwd : "",
 			u->user ? "@" : "", u->host ? u->host : "", 
 			u->port ? ":" : "", u->port ? u->port : "",
-			u->path,
+			u->path ? u->path : "",
 			u->query ? "?" : "", u->query ? u->query : "",
 			u->fragment ? "#" : "", u->fragment ? u->fragment : "",
 			nil);