lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

lynx-dev buffer overflow in GridText

From: Dick Wesseling
Subject: lynx-dev buffer overflow in GridText
Date: Mon, 24 Aug 1998 00:51:09 +0200 
The code in GridText that adds control characters to the current line 
does not test for buffer overflow. Normally Lynx gets away with this 
because it will wrap the current line as soon as the line exceeds the 
display width, but if you have a file with nothing but control 
characters with no displayable text in-between (a few thousand hidden 
links will do), then Lynx bombs.
The patch below silently ignores excess control characters.
However, from looking at the code I get a feeling that there may also 
be a problem if you have a bunch of control characters followed by a 
kanji or utf-8 sequence. Adding a few extra bytes extra when allocating 
the line buffer should take care of that.



*** GridText.c.orig     Mon Aug 24 00:28:17 1998
--- GridText.c  Mon Aug 24 00:35:49 1998
***************
*** 1588,1598 ****
       *  Make new line.
       */
      HTLine * previous = text->last_line;
      int ctrl_chars_on_previous_line = 0;
      char * cp;
!     HTLine * line = (HTLine *)LY_CALLOC(1, LINE_SIZE(MAX_LINE));
      if (line == NULL)
        outofmem(__FILE__, "split_line_1");
  
      ctrl_chars_on_this_line = 0; /*reset since we are going to a new line*/
      text->LastChar = ' ';
--- 1588,1599 ----
       *  Make new line.
       */
      HTLine * previous = text->last_line;
      int ctrl_chars_on_previous_line = 0;
      char * cp;
!     /* can't wrap in middle of multibyte sequences, so allocate 2 extra */
!     HTLine * line = (HTLine *)LY_CALLOC(1, LINE_SIZE(MAX_LINE)+2);
      if (line == NULL)
        outofmem(__FILE__, "split_line_1");
  
      ctrl_chars_on_this_line = 0; /*reset since we are going to a new line*/
      text->LastChar = ' ';
***************
*** 2224,2233 ****
--- 2225,2235 ----
        return;
      }
  
      if (IsSpecialAttrChar(ch)) {
  #ifndef USE_COLOR_STYLE
+         if (line->size >= (MAX_LINE-1)) return;
          if (ch == LY_UNDERLINE_START_CHAR) {
            line->data[line->size++] = LY_UNDERLINE_START_CHAR;
            line->data[line->size] = '\0';
            underline_on = ON;
            if (!(dump_output_immediately && use_underscore))
reply via email to
[Prev in Thread] Current Thread [Next in Thread]