[PATCH] Re: New bug added to README

Igor Pechtchanski pechtcha@cs.nyu.edu
Mon Apr 21 13:15:00 GMT 2003 

Resending with a better subject this time.  Oh, and "ping".
	Igor

---------- Forwarded message ----------
Date: Thu, 17 Apr 2003 10:08:16 -0400 (EDT)
From: Igor Pechtchanski <pechtcha@cs.nyu.edu>
Reply-To: cygwin-apps@cygwin.com
To: Max Bowsher <maxb@ukf.net>
Cc: cygwin-apps@cygwin.com
Subject: Re: New bug added to README

On Thu, 17 Apr 2003, Max Bowsher wrote:

> maxb wrote:
> > CVSROOT: /cvs/cygwin-apps
> > Module name: setup
> > Changes by: maxb 2003-04-17 08:41:41
> >
> > Log message:
> > New bug in TODO:
> >
> > * Audit rfc1738 code for bad memory/string handling. Example: Crash occurs
> > if rfc1738 encoded dirname is truncated in the middle of a %xx sequence.
>
> Suggesting this be considered for Release Blocker status.
> Max.

Yup, there's a bug all-right:

rfc1738.cc, in rfc1738_unescape() [line 201]:
   for (i = j = 0; s[j]; i++, j++)
     {
       s[i] = s[j];
       if (s[i] != '%')
         continue;
       if (s[j + 1] == '%')
         {                       /* %% case */
           j++;
           continue;
         }
>      if (s[j + 1] && s[j + 2])

It will crash in the line above, since it overruns the buffer (by 2).  I'm
attaching a patch.  Perhaps the squid people should also be notified.
        Igor
==============================================================================
ChangeLog:
2003-04-17  Igor Pechtchanski  <pechtcha@cs.nyu.edu>

	* rfc1738.cc (rfc1738_unescape): Handle incomplete escape.

-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Knowledge is an unending adventure at the edge of uncertainty.
  -- Leto II
-------------- next part --------------
Index: rfc1738.cc
===================================================================
RCS file: /cvs/cygwin-apps/setup/rfc1738.cc,v
retrieving revision 2.4
diff -u -p -r2.4 rfc1738.cc
--- rfc1738.cc	1 May 2002 11:13:16 -0000	2.4
+++ rfc1738.cc	17 Apr 2003 13:58:56 -0000
@@ -203,6 +203,11 @@ rfc1738_unescape (char *s)
       s[i] = s[j];
       if (s[i] != '%')
 	continue;
+      if (!s[j + 1] || !s[j + 2])
+        {
+	  j++;
+	  continue;
+        }
       if (s[j + 1] == '%')
 	{			/* %% case */
 	  j++;

More information about the Cygwin-apps mailing list