[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
lynx-dev frag redir crash fixes
From: |
Klaus Weide |
Subject: |
lynx-dev frag redir crash fixes |
Date: |
Tue, 25 Apr 2000 12:19:19 -0500 (CDT) |
Some redirection message can lead to invalid memory access. A malicious
server could use this to cause a SIGSEGV etc. (or equivalent on other
platforms). (Write to me privately if you want a demonstration.)
Klaus
* Avoid invalid memory access that can result from redirection messages
that include a fragment in the new URL.
(patch against 2.8.3pre.6 - nothing should have changed here since then.)
Index: 1.35/WWW/Library/Implementation/HTAccess.c
--- 1.35/WWW/Library/Implementation/HTAccess.c Tue, 18 Apr 2000 10:26:31 -0500
+++ 1.35(w)/WWW/Library/Implementation/HTAccess.c Tue, 25 Apr 2000 12:09:26
-0500
@@ -823,7 +823,7 @@
NewDoc.bookmark = anchor->bookmark;
NewDoc.isHEAD = anchor->isHEAD;
NewDoc.safe = anchor->safe;
- anchor = (HTParentAnchor *)HTAnchor_findAddress(&NewDoc);
+ anchor = HTAnchor_parent(HTAnchor_findAddress(&NewDoc));
}
}
/*
Index: 1.35/src/LYGetFile.c
--- 1.35/src/LYGetFile.c Tue, 18 Apr 2000 10:26:31 -0500
+++ 1.35(w)/src/LYGetFile.c Tue, 25 Apr 2000 12:09:29 -0500
@@ -1055,11 +1055,14 @@
return(NULLFILE);
} else {
- /*
- * May set www_search_result.
- */
- if (pound != NULL)
+ if (pound != NULL) {
+ if (!HTMainText) /* this should not happen... */
+ return(NULLFILE); /* but it can. - kw */
+ /*
+ * May set www_search_result.
+ */
HTFindPoundSelector(pound+1);
+ }
return(NORMAL);
}
}
- lynx-dev frag redir crash fixes,
Klaus Weide <=