Re: LYNX-DEV Lynx 2-7-1 Bug in forms handling code.

[Rick Mallett]

Rick Mallett writes:
> 
> This bug relates to mishandling of very large value fields in the latest
> version of lynx 2-7-1 plus fotemods.zip dated May 29,1997. The problem
> was reported by one of our users who got a segment violation (signal 11)
> when she attempted to use a form at 
>    http://horses.product.com/wwwboard/wwwboard.html
> a WWW based newsgroup which uses HTML forms for posting messages and/or
> followups. To cut a long story short, it seems that if the default value
> for a textarea forms entry is greater than 1024 characters there will be
> a memory overrun on the last line of LYSetupEdit in LYStrings.c when the
> function attempts to copy the long string into a 1024 byte buffer. The 
> statement in question is
>    strcpy(edit->buffer, old);
> where old is the very long string (the default value of the textarea) and
> edit->buffer is a 1024 byte buffer (typedef EditFieldData in LYStrings.h).
> 
> LYSetupEdit is actually passed the length of the buffer as its third 
> argument so it should be possible to replace the errant line by the
> following
>    
>    if (strlen(old) >= maxstr) {
>        strncpy(edit->buffer,old);
>        edit->buffer[maxstr] = '\0';
>    } else
>        strcpy(edit->buffer,old);
> 
> although there might be a more elegant way to handle the problem as in
> malloc'ing the space for edit->buffer etc. If the string is truncated 
> as shown above I would think that a statusline message would be in 
> order. 
> 

Yikes, the strncpy above should read `strncpy(edit->buffer,old,maxstr)'.

----------------------------------------------------------------------
Rick Mallett
Carleton University

Email address: address@hidden
----------------------------------------------------------------------
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;