From cf8c0d0a937f32662f4d16b26f52adc6127d9f88 Mon Sep 17 00:00:00 2001
From: Peng <howtofly@gmail.com>
Date: Wed, 14 Aug 2013 09:22:43 -0300
Subject: [PATCH] scanner_get_token: robustness improvement

Patch to make scanner_get_token more robust (avoid over-reading).
(cherry picked from commit a3c540bc9ba74560239e2a906db4846fcdbec90e)
---
 ChangeLog                             | 11 ++---------
 THANKS                                |  1 +
 upnp/src/genlib/net/http/httpparser.c |  4 ++--
 3 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 81f31f6..eb0fef3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -357,16 +357,9 @@ Version 1.8.0
 Version 1.6.19
 *******************************************************************************
 
-2013-07-30 Robert Buckley <rbuckley(at)users.sf.net>
+2013-08-13 Peng <howtofly(at)gmail.com>
 
-	SF ticket #53 Action Error Response not returned
-
-	In soap_ctrlpt.c, in function get_response_value:
-
-	upnp_error_code is checked to see if it is less than 400 because that
-	would indicate a SOAP error code.
-
-	However it should be checked to see if it is greater than 400.
+	Patch to make scanner_get_token more robust (avoid over-reading).
 
 2013-07-30 Zheng Peng <darkelf2010(at)users.sf.net>
 
diff --git a/THANKS b/THANKS
index 6bd334d..e35467d 100644
--- a/THANKS
+++ b/THANKS
@@ -54,6 +54,7 @@ exempt of errors.
 - Oskar Liljeblad
 - Michael (oxygenic)
 - Paul Vixie
+- Peng
 - Peter Hartley
 - Rene Hexel
 - Robert Buckley (rbuckley)
diff --git a/upnp/src/genlib/net/http/httpparser.c b/upnp/src/genlib/net/http/httpparser.c
index 1f74d8e..206e2e4 100644
--- a/upnp/src/genlib/net/http/httpparser.c
+++ b/upnp/src/genlib/net/http/httpparser.c
@@ -245,7 +245,7 @@ static parse_status_t scanner_get_token(
 		/* scan identifier */
 		token->buf = cursor++;
 		token_type = TT_IDENTIFIER;
-		while (is_identifier_char(*cursor))
+		while (cursor < null_terminator && is_identifier_char(*cursor))
 			cursor++;
 		if (!scanner->entire_msg_loaded && cursor == null_terminator)
 			/* possibly more valid chars */
@@ -255,7 +255,7 @@ static parse_status_t scanner_get_token(
 	} else if (c == ' ' || c == '\t') {
 		token->buf = cursor++;
 		token_type = TT_WHITESPACE;
-		while (*cursor == ' ' || *cursor == '\t')
+		while (cursor < null_terminator && (*cursor == ' ' || *cursor == '\t'))
 			cursor++;
 		if (!scanner->entire_msg_loaded && cursor == null_terminator)
 			/* possibly more chars */