Fossil SCM
Avoid segfault while serving [/help?cmd=/wdiff|/wdiff] page with empty "pid" parameter in the quaery string. Segfault occurs due to dereferencing of NULL pointer in pW2, which happens because both name_to_typed_rid("","w") and manifest_get(0,...) return 0.
Commit
7b81aac17a10ff4c62757c637fc73ea91628c71e20ea7aa70861798b22b2896a
Parent
1a403a7a0c14207…
1 file changed
+2
-2
+2
-2
| --- src/wiki.c | ||
| +++ src/wiki.c | ||
| @@ -1692,14 +1692,14 @@ | ||
| 1692 | 1692 | zId = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid1); |
| 1693 | 1693 | pW1 = manifest_get(rid1, CFTYPE_WIKI, 0); |
| 1694 | 1694 | if( pW1==0 ) fossil_redirect_home(); |
| 1695 | 1695 | blob_init(&w1, pW1->zWiki, -1); |
| 1696 | 1696 | zPid = P("pid"); |
| 1697 | - if( zPid==0 && pW1->nParent ){ | |
| 1697 | + if( ( zPid==0 || zPid[0] == 0 ) && pW1->nParent ){ | |
| 1698 | 1698 | zPid = pW1->azParent[0]; |
| 1699 | 1699 | } |
| 1700 | - if( zPid ){ | |
| 1700 | + if( zPid && zPid[0] != 0 ){ | |
| 1701 | 1701 | char *zDate; |
| 1702 | 1702 | rid2 = name_to_typed_rid(zPid, "w"); |
| 1703 | 1703 | pW2 = manifest_get(rid2, CFTYPE_WIKI, 0); |
| 1704 | 1704 | blob_init(&w2, pW2->zWiki, -1); |
| 1705 | 1705 | @ <h2>Changes to \ |
| 1706 | 1706 |
| --- src/wiki.c | |
| +++ src/wiki.c | |
| @@ -1692,14 +1692,14 @@ | |
| 1692 | zId = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid1); |
| 1693 | pW1 = manifest_get(rid1, CFTYPE_WIKI, 0); |
| 1694 | if( pW1==0 ) fossil_redirect_home(); |
| 1695 | blob_init(&w1, pW1->zWiki, -1); |
| 1696 | zPid = P("pid"); |
| 1697 | if( zPid==0 && pW1->nParent ){ |
| 1698 | zPid = pW1->azParent[0]; |
| 1699 | } |
| 1700 | if( zPid ){ |
| 1701 | char *zDate; |
| 1702 | rid2 = name_to_typed_rid(zPid, "w"); |
| 1703 | pW2 = manifest_get(rid2, CFTYPE_WIKI, 0); |
| 1704 | blob_init(&w2, pW2->zWiki, -1); |
| 1705 | @ <h2>Changes to \ |
| 1706 |
| --- src/wiki.c | |
| +++ src/wiki.c | |
| @@ -1692,14 +1692,14 @@ | |
| 1692 | zId = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid1); |
| 1693 | pW1 = manifest_get(rid1, CFTYPE_WIKI, 0); |
| 1694 | if( pW1==0 ) fossil_redirect_home(); |
| 1695 | blob_init(&w1, pW1->zWiki, -1); |
| 1696 | zPid = P("pid"); |
| 1697 | if( ( zPid==0 || zPid[0] == 0 ) && pW1->nParent ){ |
| 1698 | zPid = pW1->azParent[0]; |
| 1699 | } |
| 1700 | if( zPid && zPid[0] != 0 ){ |
| 1701 | char *zDate; |
| 1702 | rid2 = name_to_typed_rid(zPid, "w"); |
| 1703 | pW2 = manifest_get(rid2, CFTYPE_WIKI, 0); |
| 1704 | blob_init(&w2, pW2->zWiki, -1); |
| 1705 | @ <h2>Changes to \ |
| 1706 |