From 0542b1869b6970003caa954ebc5f1dea41d48032 Mon Sep 17 00:00:00 2001
From: Arseny Kapoulkine <arseny.kapoulkine@gmail.com>
Date: Thu, 12 Mar 2015 20:21:59 -0700
Subject: Fix buffer overrun when parsing comments inside DOCTYPE

---
 src/pugixml.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/pugixml.cpp')

diff --git a/src/pugixml.cpp b/src/pugixml.cpp
index ce8a79f..4269335 100644
--- a/src/pugixml.cpp
+++ b/src/pugixml.cpp
@@ -2352,7 +2352,7 @@ PUGI__NS_BEGIN
 				PUGI__SCANFOR(s[0] == '-' && s[1] == '-' && s[2] == '>'); // no need for ENDSWITH because --> can't terminate proper doctype
 				if (!*s) PUGI__THROW_ERROR(status_bad_doctype, s);
 
-				s += 4;
+				s += 3;
 			}
 			else PUGI__THROW_ERROR(status_bad_doctype, s);
 
-- 
cgit v1.2.3