New bug added to README
Igor Pechtchanski
pechtcha@cs.nyu.edu
Thu Apr 17 14:08:00 GMT 2003
On Thu, 17 Apr 2003, Max Bowsher wrote:
> maxb wrote:
> > CVSROOT: /cvs/cygwin-apps
> > Module name: setup
> > Changes by: maxb 2003-04-17 08:41:41
> >
> > Log message:
> > New bug in TODO:
> >
> > * Audit rfc1738 code for bad memory/string handling. Example: Crash occurs
> > if rfc1738 encoded dirname is truncated in the middle of a %xx sequence.
>
> Suggesting this be considered for Release Blocker status.
> Max.
Yup, there's a bug all-right:
rfc1738.cc, in rfc1738_unescape() [line 201]:
for (i = j = 0; s[j]; i++, j++)
{
s[i] = s[j];
if (s[i] != '%')
continue;
if (s[j + 1] == '%')
{ /* %% case */
j++;
continue;
}
> if (s[j + 1] && s[j + 2])
It will crash in the line above, since it overruns the buffer (by 2). I'm
attaching a patch. Perhaps the squid people should also be notified.
Igor
==============================================================================
ChangeLog:
2003-04-17 Igor Pechtchanski <pechtcha@cs.nyu.edu>
* rfc1738.cc (rfc1738_unescape): Handle incomplete escape.
--
http://cs.nyu.edu/~pechtcha/
|\ _,,,---,,_ pechtcha@cs.nyu.edu
ZZZzz /,`.-'`' -. ;-;;,_ igor@watson.ibm.com
|,4- ) )-,_. ,\ ( `'-' Igor Pechtchanski
'---''(_/--' `-'\_) fL a.k.a JaguaR-R-R-r-r-r-.-.-. Meow!
Knowledge is an unending adventure at the edge of uncertainty.
-- Leto II
-------------- next part --------------
Index: rfc1738.cc
===================================================================
RCS file: /cvs/cygwin-apps/setup/rfc1738.cc,v
retrieving revision 2.4
diff -u -p -r2.4 rfc1738.cc
--- rfc1738.cc 1 May 2002 11:13:16 -0000 2.4
+++ rfc1738.cc 17 Apr 2003 13:58:56 -0000
@@ -203,6 +203,11 @@ rfc1738_unescape (char *s)
s[i] = s[j];
if (s[i] != '%')
continue;
+ if (!s[j + 1] || !s[j + 2])
+ {
+ j++;
+ continue;
+ }
if (s[j + 1] == '%')
{ /* %% case */
j++;
More information about the Cygwin-apps
mailing list