Yuan Ren wrote:
>
> Hello everyone,
>
> Fixed magic number and buffer overflow in 'start_user_buffer'.
>
> Bests,
> Rey
>
> diff --git a/src/hyper/spadint.c b/src/hyper/spadint.c
> index fb031fc..4e70ac3 100644
> --- a/src/hyper/spadint.c
> +++ b/src/hyper/spadint.c
> @@ -39,6 +39,9 @@
> #include "debug.h"
>
> #include <signal.h>
> +#include <limits.h>
> +#include <error.h>
> +#include <stdlib.h>
>
> #include "hyper.h"
> #include "parse.h"
> @@ -182,18 +185,20 @@
> static void
> start_user_buffer(HyperDocPage *page)
> {
> - char buf[1024], *title;
> + char buf[BUFSIZE], *title;
> char *SPAD;
> - char spadbuf[250];
> - char complfile[250];
> + char spadbuf[PATH_MAX];
> + char complfile[PATH_MAX];
> int ret_val;
>
> SPAD = (char *) getenv("AXIOM");
> - if (SPAD == NULL) {
> - sprintf(SPAD, "/spad/mnt/rios");
> + snprintf(spadbuf, sizeof(spadbuf), "%s/lib/spadbuf", SPAD);
> + if(access(spadbuf, R_OK) == -1)
> + {
> + perror("spadbuf access err");
> + return;
> }
> - sprintf(spadbuf, "%s/lib/spadbuf", SPAD);
> - sprintf(complfile, "%s/lib/command.list", SPAD);
> + snprintf(complfile, sizeof(complfile), "%s/lib/command.list", SPAD);
> title = print_to_string(page->title);
> if (access(complfile, R_OK) == 0)
Frankly, this does not look like a right fix. AFAICS you are picking
BUFSIZE from system headers -- this is not improvement over
using fixed max value. Using PATH_MAX helps, but in case
of overflow snprintf truncate value, so further attempts to
use result will produce nonsense. So overflow should be
fatal error.
--
Waldek Hebisch
--
You received this message because you are subscribed to the Google Groups
"FriCAS - computer algebra system" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/fricas-devel.
For more options, visit https://groups.google.com/d/optout.
