Commit 419ca82d57 (Fix m17n backspace handling causes out-of-bounds
write in checkType) introduced an incomplete fix.
In function checkType we store the length of the previous multi-char
character in a buffer plens_buffer with pointer plens pointing to the
current position inside the buffer. When encountering a backspace plens
is set to the previous position without a bounds check. This will lead
to plens being out of bounds if we get more backspaces than we have
processed multi-char characters before.
If we are at the beginning of the buffer do not decrement and set plen
(the current length) to 0.
This also fixes GH Issue #270 [BUG] Out of bound read in Strnew_size ,
Str.c:61
If the above explanation does sound weird it's because I didn't fully
grok that function. :-)
With this patch applied the user can configure a directory to store
temporary/cache files. The history and cookies remain in RC_DIR.
I suppose the intent of writing the history to a temp file first is to
make the actual write an atomic operation. As rename() does not work
across mount points, we need to handle the temp file for the history
different to keep this behaviour.
Add a new type for the temp history file and handle this case different
when creating a temp file.
Throughout the whole code base only char * is passed, but a unsigned
char * is expected. This leads to several warnings.
Fix the interface and cast to unsigned char * internally to avoid any
changes to the behaviour.
This also fixes a bug in the tokenizing FSM in etc.c that prevented the !doctype element from being recognized; the fix is necessary because HTML5 detection depends on checking the !doctype element.
