At: 248 250 pBuf++; 249 251 pBuf = strstr(pBuf, "<a href=\"");//Find the next link to a possible file name.
how do we know that pBuf++ is actually not outside our buffer? btw, why abort if pBufRes > pBuf? why not something like probably even uglier attached patch? I want to get deeper inside C and C++ so I want to understand. On Thu, Jun 27, 2013 at 10:33 PM, Jaak Ristioja <j...@ristioja.ee> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Patch for pointer dereference issue: > > > https://gitorious.org/~jotik/sword-svn-mirrors/jotiks-sword-trunk/commit/1b8ab91ff994c8584d6c61cb7d334273732d8216 > > Patch for buffer overflow: > > > https://gitorious.org/~jotik/sword-svn-mirrors/jotiks-sword-trunk/commit/4a261b27a7bec9d9300da6c357666a3851f3d34e > > There you go! Took me half an hour. > > Blessings, > Jaak > > On 27.06.2013 22:41, Mark Trompell wrote: >> I see. I'll try to come up with a better patch on Monday. I won't >> have time earlier. Blessings Mark --- Ursprüngl. Mitteilung --- >> Von: Jaak Ristioja Gesend.: 27.06.2013, 16:15 An: >> sword-devel@crosswire.org Betreff: Re: [sword-devel] installmgr >> (and xiphos) crashes (svn 2831) >> >> >> I think you only fixed pBuf not being set to NULL prematurely. But >> this: >> >> memset(possibleName, 0, 400); >> >> doesn't help. The sprintf function always writes a terminating \0 >> character. The problem is not that a \0 character is not written, >> because it is written (unless a memory error occurs first). The >> problem is that if possibleNameLength > 399 then it writes the >> characters (including the terminating \0 character) past the end >> of the possibleName buffer, corrupting memory, potentially outside >> of the virtual address space of the program (usually triggering the >> OS to kill the process with a segfault or something). >> >> The memset call is not needed, but it should be checked that >> possibleNameLength < 400 (strictly "less-than"). Otherwise >> >> sprintf(possibleName, "%.*s", possibleNameLength, pBuf); >> >> is a security vulnerability. I wonder whether a CVE is required. >> >> >> Blessings, Jaak >> >> On 27.06.2013 14:45, Mark Trompell wrote: >>> Sending again with tabs instead of blancs in the first hunk >> >>> On Thu, Jun 27, 2013 at 1:17 PM, Mark Trompell >>> <m...@foresightlinux.org> wrote: >>>> I just fixed it :). Attached patch will initialize >>>> possibleNames with 0 bytes to make sure we always have the name >>>> 0 terminated properly. and it will move the pBuf=pBufRes into >>>> the check for ifBufRes != NULL, in case no filesize is found >>>> (because of another apache is displaying it differently) >>>> Shouldn't break existing setups. >> >> >> >> >>> _______________________________________________ sword-devel >>> mailing list: sword-devel@crosswire.org >>> http://www.crosswire.org/mailman/listinfo/sword-devel >>> Instructions to unsubscribe/change your settings at above page >> >> >> >> _______________________________________________ sword-devel mailing >> list: sword-devel@crosswire.org >> http://www.crosswire.org/mailman/listinfo/sword-devel Instructions >> to unsubscribe/change your settings at above page >> >> >> _______________________________________________ sword-devel mailing >> list: sword-devel@crosswire.org >> http://www.crosswire.org/mailman/listinfo/sword-devel Instructions >> to unsubscribe/change your settings at above page >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.20 (GNU/Linux) > > iQgcBAEBAgAGBQJRzKGMAAoJEEqsYmEt1rCOKTI//ive2vm6lFnJkuBfZHBsGnSF > aSm5JAyksfatvrQ7rcFsL9WOINMAXXZW9qQ6w7PThxreEBUALuE9iSGF6RaSzWkW > Q6mBXZuX2ROHYFY9PbtfA5K6c2roNLF03o88YKafADORlCqXpgPfLsY1lL2G9q8w > LjmMOQGyCPAxzOdgr8Ll5mjWhv71X00n11Z0lK7QOct58Jj/yHTi/0/IoOdplZeo > neWK83hbo/yFlrSP37mzBvLAQKEXEHaQdHRi2bj9jL9KCT70WC0QB8BkJDGqhh70 > U7IHkTBrH+AaWD0jlirFUTe6rs1jm3Zgn/mqCiM8yFb2/RBT/csn0TOpCYvLIu+9 > WXTjXRn7Vix/r2c1opejigM2387rYXkhQCdQxqddqlkrO92aLKuCsZWi5mfRceYA > hBayFPUe6CHUJoQYCtvPDx9Tfcr2tgWhmyLvbQzjNqFsaVpiFGEoAltPqe6nw/9U > 8WuZwQnLuAs1sM08FL18kZ2qtOFf26iSLHmJamipBork9Pd3NsJBsct4w28/3KDh > hLQD3sZ9sKWrTKNwyYY+dqXQThdMeL1zcKrjyUHnyYDnH67hwDEDGlEuvVTCzdbb > CEZ5iJvYRKQ7ylUSKWqVUa976OwRGbAoCeTsuxbCe1RTuXiVYtV9GqKo2Rbipp2e > 52hHXd7RgszlVq5Wk3QdWwa7kKm8OTbKsNrMcBWlkBdTBbVlDaM8QIkmCs3ZwXEa > C6bzKX6vAqgZrjBUiZpdIfPay/8z5zzQU2I5C7wurdOGk986UdZXCr6RjYdwxoGN > yjw3uVM01RMcv3+N7X+vXyHTloaeqVaOkd2yrp6RSFA4W2V1XQE/loitxctzHEZI > k36MdLg2tRrHkBwqWdO56Fg9ogShQOK+aanq2nuou0hKNvoxkkH3QdiqL3O2JW8Z > dWilQiiuCdDPeyDxqsrO0zP4K+df+puXgisAv5561P/A+nlJvtY1TmOSNQpF5ebn > eecK94ZExoGCMJ+TgIY7KqZSKaq3FB4acxO+bbQHHvJFDaZZzr6D1uMmgUI7zr5l > u0xFqSAwggRMKB9TMjV5wG+NetfjgmaNABhCiaCHpksm+R7MJjxSArUp1fH3xUja > LpUWJuGZQM+gX/s7DzFMfBNxtjYP/uocMvx7gQFg+vd0hRrtcSM+RgTI35+2Gdm8 > 3xgE45j5fVSEcPOMYP6OYIR4vhL4X3aT6uZ6jntGTowErv8NLJw7LTxiCBmYx2Ij > vmJLLoQrsf0w6L7gJ2bNv6W/+p34z026m3Nh7Ue7IoFgV0mAumewSEQhPbRhfYWE > Hi0soVSMdqblYUs9+ICu06RbgJl1/p5B5uwUAJ8VmP6NPXiuf56qg4EHvOWkKMsL > uegQYdnOICyak56ZJ93MPrgFUWrukYEtqQyu6I6HQLm1TNd+DbbUIVr4b45uZH7e > iz7/ziGoaNoD08kddPfdksfcRLvHNtKrGditzs1Kr6SMFPwF4oU8BalOyqJmv2Fv > BBaIAKxhNYE8Cmkpr3ZG9bjjZThYsqBm1lJOzSzIDirlcq6H2iUkWigQrJOlBcS/ > pTZA2gzG4Yxm5jMc45oKehj7CySwb2aoVPzF4ToFcUq1W4me/dH1gNPMppeM4k7w > HvLgxZm1qKunDyftzTTE9Q8958/AwifYMkVgXdXaEMDuqtIukVu3GUdTphNBZMhx > E9QDMwyw/tBzcc1BUJjYOE4yyQ7d7BiM9TbVJCDtQyOpJEuMw3APoNnJEEVwFZ70 > ok+qgQ35LtEWP8dR6cwGXSXnUblCnMjmEILNinCFRVDKPe2HqetHzAAQeMhdVT5T > lA6tPW3CbnJB1notRn/DV1sDlehsyc70+2tLUPjfLADNf5aZzIkApB03aazWaei+ > 65GWEgURLLa+BamXMwjK6DW9xyNaWAuO20pkckMkly2Qs8kdQp96Ga5cp4dM4uTu > H0+FNkrQxLJndpzSdAuHmYoVIRT2eVBTWJN8+D/sxMXY7ILNgAioX+WZejU2tLCy > DiGBF++dPvhaGxNa7kRq9WMULj8ll8jMUM/1f7yeSk/Aajp+F5Q6PGhI6JeUooam > Z1pcbAzK2yOyrnR5MRrpgOFGvtD3OSGngHjJZj3yGuTXkzKcEZgqSZ4n+bMhivtE > nAIcnCzWvvzS+/2YNQVWR5C1KgGO4hNUUrvrRN1n2E6lx9xmDAgvV7Qj7qWFNFgx > g7SC0D2Gx8Sgc4ViuhP3KHut/v3BU33phN94HUdMbNYJUuESVaD8xM9id5VSHFQS > YrmRPnaFegzaMhE2awpGtWp3XD3giqWjWSNWRtFgVUbxX2kKxoIqMNyQDCtKaXX5 > bvDSslTKI4byMaoPbOcRG1i01AwokLid4ZT5YjoqI1333VqaW3cbcnjPFTXOzPW5 > B3R8u4FaarhLWCY/lxiifpXalHOYTLjucIUa5+3cJ0R+v9ak+2dsduFWj0yhdYPS > Wg5UG/VYgDn7mCXvDvHc6a8VMzQQ4POYtym4ZOZBrOctRLbLsFFVPysmD2uaKm7O > 3/6futlB7ASRqunaOcNSwRKDv1Rv3mz5KZD48wEZl/5sTONjjmCWQbshmV+Rd0XH > 3u9433ODZ0/A6Lq8fE6T7P3ORLDMvEcPTMFCdTpuBy2KRoMXKFRlk/4FHeOUIM/S > NoxhGFPpLpmMZAmIMPMEBiLGny8A3PWGYR0RED3Fo7IpnHB1aFFwNRtiuola0g4U > ++gWf0P7CVU6lUCzkC3f > =XzwD > -----END PGP SIGNATURE----- > > _______________________________________________ > sword-devel mailing list: sword-devel@crosswire.org > http://www.crosswire.org/mailman/listinfo/sword-devel > Instructions to unsubscribe/change your settings at above page -- Mark Trompell Foresight Linux Xfce Edition Cause your desktop should be freaking cool (and Xfce)
fix_curl_http_crash.patch
Description: Binary data
_______________________________________________ sword-devel mailing list: sword-devel@crosswire.org http://www.crosswire.org/mailman/listinfo/sword-devel Instructions to unsubscribe/change your settings at above page
