lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LYNX-DEV Minor bugs in lynx2-7-1+fotemods


From: Rick Mallett
Subject: LYNX-DEV Minor bugs in lynx2-7-1+fotemods
Date: Sat, 10 May 1997 13:21:54 -0400 (EDT)

In the process of debugging some local changes to lynx I downloaded an
evaluation copy of Atria's Purify and tried it out on lynx2-7-1 plus
fotemods.zip (May 8). It turned up a couple of interesting minor bugs
both of which appear to have been in the code for quite some time.

I'm not supplying a patch because I'm not sure what was intended and 
I figured that whoever wrote the code would be in a better position to
apply a fix. Anyway they appear to be minor problems.

The first bug occurs in function `statusline' in LYUtils.c and it is
simply that the array `buffer' in the following statement (about 30 lines
into the routine) is a local variable and has not been initialized at this
point in the code. 

    if ((buffer[0] != '\0') &&
        (LYHaveCJKCharacterSet)) {

A statement such as "buffer[0] = '\0';" right at the beginning of the
routine eliminates the problem as far as purify is concerned but hardly
seems appropriate since the loop would never be executed.

The second, and slightly more serious, problem occurs at line 1922 in
LYCharUtils.c in function LYHandleMETA and results in a reference beyond
the end of allocated memory. The problem statement is

            while (*cp1) {

in the code sequence 

    } else if (!strcasecomp((http_equiv ? http_equiv : ""), "Refresh")) {
        char *Seconds = NULL;

        /*
         *  Look for the Seconds field. - FM
         */
        cp = content;
        while (*cp && isspace((unsigned char)*cp))
            cp++;
        if (*cp && isdigit(*cp)) {
            cp1 = cp;
            while (*cp1 && isdigit(*cp1))
                cp1++;
            *cp1 = '\0';
            StrAllocCopy(Seconds, cp);
            cp1++;
        }
        if (Seconds) {
            /*
             *  We have the seconds field.
             *  Now look for a URL field - FM
             */
            while (*cp1) {

I'm not sure what is happening here but purify complains that the reference 
to *cp1 is one byte beyond the end of allocated memory, and looking at the code
it does seem that this could happen if the 

            while (*cp1 && isdigit(*cp1))

loop ended because *cp1 was zero (end of string), in which case the extra 
`cp1++'
just after the `StrAllocCopy' would push the pointer past allocated memory.

----------------------------------------------------------------------
Rick Mallett
Carleton University

Email address: address@hidden
----------------------------------------------------------------------
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]