]> git.pld-linux.org Git - packages/lynx.git/blame - lynx-CAN-2005-3120.patch
- converted to UTF-8
[packages/lynx.git] / lynx-CAN-2005-3120.patch
CommitLineData
e1178872
ER
1diff -urN lynx2-8-5.orig/CHANGES lynx2-8-5/CHANGES
2--- lynx2-8-5.orig/CHANGES 2004-02-04 07:07:09.000000000 -0500
3+++ lynx2-8-5/CHANGES 2005-10-12 09:26:54.000000000 -0400
4@@ -1,6 +1,11 @@
5 Changes since Lynx 2.8 release
6 ===============================================================================
7
8+2005-0?-?? (2.8.5rel.1)
9+* eliminate fixed-size buffers in HTrjis() and related functions to avoid
10+ potential buffer overflow in nntp pages (report by Ulf Harnhammar).
11+ Back-ported from Thomas Dickey's patch to 2.8.6dev.13 by Seemant Kulleen
12+
13 2004-02-04 (2.8.5rel.1)
14 * build fixes for MINGW32 -DK
15 * build fixes for OS/2 (reported by IZ) -TD
16diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.c lynx2-8-5/WWW/Library/Implementation/HTMIME.c
17--- lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.c 2004-01-07 21:03:09.000000000 -0500
18+++ lynx2-8-5/WWW/Library/Implementation/HTMIME.c 2005-10-12 09:22:59.000000000 -0400
19@@ -2062,15 +2062,9 @@
20 **
21 ** Written by S. Ichikawa,
22 ** partially inspired by encdec.c of <jh@efd.lth.se>.
23-** Assume caller's buffer is LINE_LENGTH bytes, these decode to
24-** no longer than the input strings.
25+** Caller's buffers decode to no longer than the input strings.
26 */
27-#define LINE_LENGTH 512 /* Maximum length of line of ARTICLE etc */
28-#ifdef ESC
29-#undef ESC
30-#endif /* ESC */
31 #include <LYCharVals.h> /* S/390 -- gil -- 0163 */
32-#define ESC CH_ESC
33
34 PRIVATE char HTmm64[] =
35 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" ;
36@@ -2078,11 +2072,14 @@
37 PRIVATE int HTmmcont = 0;
38
39 PUBLIC void HTmmdec_base64 ARGS2(
40- char *, t,
41+ char **, t,
42 char *, s)
43 {
44 int d, count, j, val;
45- char buf[LINE_LENGTH], *bp, nw[4], *p;
46+ char *buf, *bp, nw[4], *p;
47+
48+ if ((buf = malloc(strlen(s) * 3 + 1)) == 0)
49+ outofmem(__FILE__, "HTmmdec_base64");
50
51 for (bp = buf; *s; s += 4) {
52 val = 0;
53@@ -2113,14 +2110,18 @@
54 *bp++ = nw[2];
55 }
56 *bp = '\0';
57- strcpy(t, buf);
58+ StrAllocCopy(*t, buf);
59+ FREE(buf);
60 }
61
62 PUBLIC void HTmmdec_quote ARGS2(
63- char *, t,
64+ char **, t,
65 char *, s)
66 {
67- char buf[LINE_LENGTH], cval, *bp, *p;
68+ char *buf, cval, *bp, *p;
69+
70+ if ((buf = malloc(strlen(s) + 1)) == 0)
71+ outofmem(__FILE__, "HTmmdec_quote");
72
73 for (bp = buf; *s; ) {
74 if (*s == '=') {
75@@ -2147,23 +2148,27 @@
76 }
77 }
78 *bp = '\0';
79- strcpy(t, buf);
80+ StrAllocCopy(*t, buf);
81+ FREE(buf);
82 }
83
84 /*
85 ** HTmmdecode for ISO-2022-JP - FM
86 */
87 PUBLIC void HTmmdecode ARGS2(
88- char *, trg,
89- char *, str)
90+ char **, target,
91+ char *, source)
92 {
93- char buf[LINE_LENGTH], mmbuf[LINE_LENGTH];
94+ char *buf;
95+ char *mmbuf = NULL;
96+ char *m2buf = NULL;
97 char *s, *t, *u;
98 int base64, quote;
99
100- buf[0] = '\0';
101+ if ((buf = malloc(strlen(source) + 1)) == 0)
102+ outofmem(__FILE__, "HTmmdecode");
103
104- for (s = str, u = buf; *s; ) {
105+ for (s = source, u = buf; *s; ) {
106 if (!strncasecomp(s, "=?ISO-2022-JP?B?", 16)) {
107 base64 = 1;
108 } else {
109@@ -2177,15 +2182,18 @@
110 if (base64 || quote) {
111 if (HTmmcont) {
112 for (t = s - 1;
113- t >= str && (*t == ' ' || *t == '\t'); t--) {
114+ t >= source && (*t == ' ' || *t == '\t'); t--) {
115 u--;
116 }
117 }
118+ if (mmbuf == 0) /* allocate buffer big enough for source */
119+ StrAllocCopy(mmbuf, source);
120 for (s += 16, t = mmbuf; *s; ) {
121 if (s[0] == '?' && s[1] == '=') {
122 break;
123 } else {
124 *t++ = *s++;
125+ *t = '\0';
126 }
127 }
128 if (s[0] != '?' || s[1] != '=') {
129@@ -2195,10 +2203,10 @@
130 *t = '\0';
131 }
132 if (base64)
133- HTmmdec_base64(mmbuf, mmbuf);
134+ HTmmdec_base64(&m2buf, mmbuf);
135 if (quote)
136- HTmmdec_quote(mmbuf, mmbuf);
137- for (t = mmbuf; *t; )
138+ HTmmdec_quote(&m2buf, mmbuf);
139+ for (t = m2buf; *t; )
140 *u++ = *t++;
141 HTmmcont = 1;
142 /* if (*s == ' ' || *s == '\t') *u++ = *s; */
143@@ -2211,7 +2219,10 @@
144 }
145 *u = '\0';
146 end:
147- strcpy(trg, buf);
148+ StrAllocCopy(*target, buf);
149+ FREE(m2buf);
150+ FREE(mmbuf);
151+ FREE(buf);
152 }
153
154 /*
155@@ -2219,22 +2230,27 @@
156 ** (The author of this function "rjis" is S. Ichikawa.)
157 */
158 PUBLIC int HTrjis ARGS2(
159- char *, t,
160+ char **, t,
161 char *, s)
162 {
163- char *p, buf[LINE_LENGTH];
164+ char *p;
165+ char *buf = NULL;
166 int kanji = 0;
167
168- if (strchr(s, ESC) || !strchr(s, '$')) {
169- if (s != t)
170- strcpy(t, s);
171+ if (strchr(s, CH_ESC) || !strchr(s, '$')) {
172+ if (s != *t)
173+ StrAllocCopy(*t, s);
174 return 1;
175 }
176+
177+ if ((buf = malloc(strlen(s) * 2 + 1)) == 0)
178+ outofmem(__FILE__, "HTrjis");
179+
180 for (p = buf; *s; ) {
181 if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
182 if (HTmaybekanji((int)s[2], (int)s[3])) {
183 kanji = 1;
184- *p++ = ESC;
185+ *p++ = CH_ESC;
186 *p++ = *s++;
187 *p++ = *s++;
188 *p++ = *s++;
189@@ -2246,7 +2262,7 @@
190 }
191 if (kanji && s[0] == '(' && (s[1] == 'J' || s[1] == 'B')) {
192 kanji = 0;
193- *p++ = ESC;
194+ *p++ = CH_ESC;
195 *p++ = *s++;
196 *p++ = *s++;
197 continue;
198@@ -2255,7 +2271,8 @@
199 }
200 *p = *s; /* terminate string */
201
202- strcpy(t, buf);
203+ StrAllocCopy(*t, buf);
204+ FREE(buf);
205 return 0;
206 }
207
208diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.h lynx2-8-5/WWW/Library/Implementation/HTMIME.h
209--- lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.h 2003-01-22 04:43:13.000000000 -0500
210+++ lynx2-8-5/WWW/Library/Implementation/HTMIME.h 2005-10-12 09:24:50.000000000 -0400
211@@ -67,21 +67,13 @@
212 For handling Japanese headers.
213
214 */
215-extern void HTmmdec_base64 PARAMS((
216- char * t,
217- char * s));
218-
219-extern void HTmmdec_quote PARAMS((
220- char * t,
221- char * s));
222-
223 extern void HTmmdecode PARAMS((
224- char * trg,
225- char * str));
226+ char ** target,
227+ char * source));
228
229 extern int HTrjis PARAMS((
230- char * t,
231- char * s));
232+ char ** target,
233+ char * source));
234
235 extern int HTmaybekanji PARAMS((
236 int c1,
237diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTNews.c lynx2-8-5/WWW/Library/Implementation/HTNews.c
238--- lynx2-8-5.orig/WWW/Library/Implementation/HTNews.c 2004-01-07 21:03:09.000000000 -0500
239+++ lynx2-8-5/WWW/Library/Implementation/HTNews.c 2005-10-12 09:05:14.000000000 -0400
240@@ -940,7 +940,6 @@
241 }
242 }
243
244-#ifdef SH_EX /* for MIME */
245 #ifdef NEWS_DEBUG
246 /* for DEBUG 1997/11/07 (Fri) 17:20:16 */
247 void debug_print(unsigned char *p)
248@@ -962,44 +961,15 @@
249 }
250 #endif
251
252-static char *decode_mime(char *str)
253+static char *decode_mime(char **str)
254 {
255- char temp[LINE_LENGTH]; /* FIXME: what determines the actual size? */
256- char *p, *q;
257-
258- if (str == NULL)
259- return "";
260-
261+#ifdef SH_LEX
262 if (HTCJK != JAPANESE)
263- return str;
264-
265- LYstrncpy(temp, str, sizeof(temp) - 1);
266- q = temp;
267- while ((p = strchr(q, '=')) != 0) {
268- if (p[1] == '?') {
269- HTmmdecode(p, p);
270- q = p + 2;
271- } else {
272- q = p + 1;
273- }
274- }
275-#ifdef NEWS_DEBUG
276- printf("new=[");
277- debug_print(temp);
278+ return *str;
279 #endif
280- HTrjis(temp, temp);
281- strcpy(str, temp);
282-
283- return str;
284+ HTmmdecode(str, *str);
285+ return HTrjis(str, *str) ? *str : "";
286 }
287-#else /* !SH_EX */
288-static char *decode_mime ARGS1(char *, str)
289-{
290- HTmmdecode(str, str);
291- HTrjis(str, str);
292- return str;
293-}
294-#endif
295
296
297 /* Read in an Article read_article
298@@ -1087,22 +1057,22 @@
299
300 } else if (match(full_line, "SUBJECT:")) {
301 StrAllocCopy(subject, HTStrip(strchr(full_line,':')+1));
302- decode_mime(subject);
303+ decode_mime(&subject);
304 } else if (match(full_line, "DATE:")) {
305 StrAllocCopy(date, HTStrip(strchr(full_line,':')+1));
306
307 } else if (match(full_line, "ORGANIZATION:")) {
308 StrAllocCopy(organization,
309 HTStrip(strchr(full_line,':')+1));
310- decode_mime(organization);
311+ decode_mime(&organization);
312
313 } else if (match(full_line, "FROM:")) {
314 StrAllocCopy(from, HTStrip(strchr(full_line,':')+1));
315- decode_mime(from);
316+ decode_mime(&from);
317
318 } else if (match(full_line, "REPLY-TO:")) {
319 StrAllocCopy(replyto, HTStrip(strchr(full_line,':')+1));
320- decode_mime(replyto);
321+ decode_mime(&replyto);
322
323 } else if (match(full_line, "NEWSGROUPS:")) {
324 StrAllocCopy(newsgroups, HTStrip(strchr(full_line,':')+1));
325@@ -1711,8 +1681,8 @@
326 int, last_required)
327 {
328 char line[LINE_LENGTH+1];
329- char author[LINE_LENGTH+1];
330- char subject[LINE_LENGTH+1];
331+ char *author = NULL;
332+ char *subject = NULL;
333 char *date = NULL;
334 int i;
335 char *p;
336@@ -1723,9 +1693,7 @@
337 char *reference = NULL; /* Href for article */
338 int art; /* Article number WITHIN GROUP */
339 int status, count, first, last; /* Response fields */
340- /* count is only an upper limit */
341
342- author[0] = '\0';
343 START(HTML_HEAD);
344 PUTC('\n');
345 START(HTML_TITLE);
346@@ -1946,8 +1914,8 @@
347 case 'S':
348 case 's':
349 if (match(line, "SUBJECT:")) {
350- LYstrncpy(subject, line+9, sizeof(subject)-1);/* Save subject */
351- decode_mime(subject);
352+ StrAllocCopy(subject, line + 9);
353+ decode_mime(&subject);
354 }
355 break;
356
357@@ -1964,10 +1932,8 @@
358 case 'F':
359 if (match(line, "FROM:")) {
360 char * p2;
361- LYstrncpy(author,
362- author_name(strchr(line,':')+1),
363- sizeof(author)-1);
364- decode_mime(author);
365+ StrAllocCopy(author, strchr(line, ':') + 1);
366+ decode_mime(&author);
367 p2 = author + strlen(author) - 1;
368 if (*p2==LF)
369 *p2 = '\0'; /* Chop off newline */
370@@ -1988,11 +1954,8 @@
371
372 PUTC('\n');
373 START(HTML_LI);
374-#ifdef SH_EX /* for MIME */
375- HTSprintf0(&temp, "\"%s\"", decode_mime(subject));
376-#else
377- HTSprintf0(&temp, "\"%s\"", subject);
378-#endif
379+ p = decode_mime(&subject);
380+ HTSprintf0(&temp, "\"%s\"", NonNull(p));
381 if (reference) {
382 write_anchor(temp, reference);
383 FREE(reference);
384@@ -2001,18 +1964,14 @@
385 }
386 FREE(temp);
387
388- if (author[0] != '\0') {
389+ if (author != NULL) {
390 PUTS(" - ");
391 if (LYListNewsDates)
392 START(HTML_I);
393-#ifdef SH_EX /* for MIME */
394- PUTS(decode_mime(author));
395-#else
396- PUTS(author);
397-#endif
398+ PUTS(decode_mime(&author));
399 if (LYListNewsDates)
400 END(HTML_I);
401- author[0] = '\0';
402+ FREE(author);
403 }
404 if (date) {
405 if (!diagnostic) {
406@@ -2055,6 +2014,8 @@
407 MAYBE_END(HTML_LI);
408 } /* Handle response to HEAD request */
409 } /* Loop over article */
410+ FREE(author);
411+ FREE(subject);
412 } /* If read headers */
413 PUTC('\n');
414 if (LYListNewsNumbers)
This page took 0.077239 seconds and 4 git commands to generate.