[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
lynx-dev buffer overflow in GridText
From: |
Dick Wesseling |
Subject: |
lynx-dev buffer overflow in GridText |
Date: |
Mon, 24 Aug 1998 00:51:09 +0200 |
The code in GridText that adds control characters to the current line
does not test for buffer overflow. Normally Lynx gets away with this
because it will wrap the current line as soon as the line exceeds the
display width, but if you have a file with nothing but control
characters with no displayable text in-between (a few thousand hidden
links will do), then Lynx bombs.
The patch below silently ignores excess control characters.
However, from looking at the code I get a feeling that there may also
be a problem if you have a bunch of control characters followed by a
kanji or utf-8 sequence. Adding a few extra bytes extra when allocating
the line buffer should take care of that.
*** GridText.c.orig Mon Aug 24 00:28:17 1998
--- GridText.c Mon Aug 24 00:35:49 1998
***************
*** 1588,1598 ****
* Make new line.
*/
HTLine * previous = text->last_line;
int ctrl_chars_on_previous_line = 0;
char * cp;
! HTLine * line = (HTLine *)LY_CALLOC(1, LINE_SIZE(MAX_LINE));
if (line == NULL)
outofmem(__FILE__, "split_line_1");
ctrl_chars_on_this_line = 0; /*reset since we are going to a new line*/
text->LastChar = ' ';
--- 1588,1599 ----
* Make new line.
*/
HTLine * previous = text->last_line;
int ctrl_chars_on_previous_line = 0;
char * cp;
! /* can't wrap in middle of multibyte sequences, so allocate 2 extra */
! HTLine * line = (HTLine *)LY_CALLOC(1, LINE_SIZE(MAX_LINE)+2);
if (line == NULL)
outofmem(__FILE__, "split_line_1");
ctrl_chars_on_this_line = 0; /*reset since we are going to a new line*/
text->LastChar = ' ';
***************
*** 2224,2233 ****
--- 2225,2235 ----
return;
}
if (IsSpecialAttrChar(ch)) {
#ifndef USE_COLOR_STYLE
+ if (line->size >= (MAX_LINE-1)) return;
if (ch == LY_UNDERLINE_START_CHAR) {
line->data[line->size++] = LY_UNDERLINE_START_CHAR;
line->data[line->size] = '\0';
underline_on = ON;
if (!(dump_output_immediately && use_underscore))
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- lynx-dev buffer overflow in GridText,
Dick Wesseling <=