lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV bug in LYString.c

From: Foteos Macrides
Subject: Re: LYNX-DEV bug in LYString.c
Date: Sun, 03 Aug 1997 20:28:57 -0500 (EST) 
juergen baumann <address@hidden> wrote:
>first: sorry for mailing into this list without having subscribed to it...
>(I haven't got as much time as I need to follow all the possible lists of
> devellopments on which I currently spend a little bit time..)
> 
>running system is Linux 2.1.41, lynx 2.7.1 is ompiled with slang.lib.
>
>but this is not relevant at this bug.
>
>any Website can currently crash lynx with a simple FORM-entry.
>
>I've tried a TEXTAREA with a line of more than 1024 characters
>and lynx crashes. maybe other INPUT-fields do the same, but I
>haven't check this out.
>
>the crash is caused by a stack-corruption, inited by the function
>LYSetupEdit() in LYString.c. a strcpy() is used on an array of
>1024 characters without any check of the amount of copied data.
>
>a simple patch prevent this:
[...]

        Thanks for the bug report and patch.  That vulnerability to
stack manipulation was fixed some time, more elaborately via mods
with appropriate messaging in HTForms.c, and this in HTStrings.c

    /*
     *  We expect the called function to pass us a default (old) value
     *  with a length that is less than or equal to maxstr, and to
     *  handle any messaging associated with actions to achieve that
     *  requirement.  However, in case the calling function screwed
     *  up, we'll check it here, and ensure that no buffer overrun can
     *  occur by loading only as much of the head as fits. - FM
     */
    if (strlen(old) >= maxstr) {
        strncpy(edit->buffer, old, maxstr);
        edit->buffer[maxstr] = '\0';
        StrLen = maxstr;
    } else {
        strcpy(edit->buffer, old);
    }

                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;
reply via email to
[Prev in Thread] Current Thread [Next in Thread]