[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Lynx-dev] Lynx segfault at _IO_vfscanf()
|
From: |
Thomas Dickey |
|
Subject: |
Re: [Lynx-dev] Lynx segfault at _IO_vfscanf() |
|
Date: |
Thu, 01 Dec 2011 05:41:22 -0500 |
|
User-agent: |
Mutt/1.5.18 (2008-05-17) |
On Wed, Nov 30, 2011 at 11:29:10AM +0200, Aki Helin wrote:
> A simple way to avoid the crash would be for example to bound the number
> of bytes sscanf can read, because here the input is something coming from
> outside and sscanf is expecting a representation of a number within the
> valid range.
>
> --- lynx2-8-8/WWW/Library/Implementation/SGML.c 2011-06-13 03:18:54.000000000
> +0300
> +++ lynx2-8-8-scan/WWW/Library/Implementation/SGML.c 2011-11-30
> 11:10:11.000000000 +0200
> @@ -2643,7 +2643,7 @@
> #endif
> if ((context->isHex
> - ? sscanf(string->data, "%lx", &lcode)
> - : sscanf(string->data, "%lu", &lcode)) == 1) {
> + ? sscanf(string->data, "%20lx", &lcode)
> + : sscanf(string->data, "%20lu", &lcode)) == 1) {
The drawback to this is that it will succeed when it shouldn't.
I made a different fix using strtol which is in ongoing fixes here:
ftp://invisible-island.net/temp/lynx2.8.8dev.9d.patch.gz
--
Thomas E. Dickey <address@hidden>
http://invisible-island.net
ftp://invisible-island.net
signature.asc
Description: Digital signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [Lynx-dev] Lynx segfault at _IO_vfscanf(),
Thomas Dickey <=