]>
Commit | Line | Data |
---|---|---|
e1178872 ER |
1 | diff -urN lynx2-8-5.orig/CHANGES lynx2-8-5/CHANGES |
2 | --- lynx2-8-5.orig/CHANGES 2004-02-04 07:07:09.000000000 -0500 | |
3 | +++ lynx2-8-5/CHANGES 2005-10-12 09:26:54.000000000 -0400 | |
4 | @@ -1,6 +1,11 @@ | |
5 | Changes since Lynx 2.8 release | |
6 | =============================================================================== | |
7 | ||
8 | +2005-0?-?? (2.8.5rel.1) | |
9 | +* eliminate fixed-size buffers in HTrjis() and related functions to avoid | |
10 | + potential buffer overflow in nntp pages (report by Ulf Harnhammar). | |
11 | + Back-ported from Thomas Dickey's patch to 2.8.6dev.13 by Seemant Kulleen | |
12 | + | |
13 | 2004-02-04 (2.8.5rel.1) | |
14 | * build fixes for MINGW32 -DK | |
15 | * build fixes for OS/2 (reported by IZ) -TD | |
16 | diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.c lynx2-8-5/WWW/Library/Implementation/HTMIME.c | |
17 | --- lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.c 2004-01-07 21:03:09.000000000 -0500 | |
18 | +++ lynx2-8-5/WWW/Library/Implementation/HTMIME.c 2005-10-12 09:22:59.000000000 -0400 | |
19 | @@ -2062,15 +2062,9 @@ | |
20 | ** | |
21 | ** Written by S. Ichikawa, | |
22 | ** partially inspired by encdec.c of <jh@efd.lth.se>. | |
23 | -** Assume caller's buffer is LINE_LENGTH bytes, these decode to | |
24 | -** no longer than the input strings. | |
25 | +** Caller's buffers decode to no longer than the input strings. | |
26 | */ | |
27 | -#define LINE_LENGTH 512 /* Maximum length of line of ARTICLE etc */ | |
28 | -#ifdef ESC | |
29 | -#undef ESC | |
30 | -#endif /* ESC */ | |
31 | #include <LYCharVals.h> /* S/390 -- gil -- 0163 */ | |
32 | -#define ESC CH_ESC | |
33 | ||
34 | PRIVATE char HTmm64[] = | |
35 | "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" ; | |
36 | @@ -2078,11 +2072,14 @@ | |
37 | PRIVATE int HTmmcont = 0; | |
38 | ||
39 | PUBLIC void HTmmdec_base64 ARGS2( | |
40 | - char *, t, | |
41 | + char **, t, | |
42 | char *, s) | |
43 | { | |
44 | int d, count, j, val; | |
45 | - char buf[LINE_LENGTH], *bp, nw[4], *p; | |
46 | + char *buf, *bp, nw[4], *p; | |
47 | + | |
48 | + if ((buf = malloc(strlen(s) * 3 + 1)) == 0) | |
49 | + outofmem(__FILE__, "HTmmdec_base64"); | |
50 | ||
51 | for (bp = buf; *s; s += 4) { | |
52 | val = 0; | |
53 | @@ -2113,14 +2110,18 @@ | |
54 | *bp++ = nw[2]; | |
55 | } | |
56 | *bp = '\0'; | |
57 | - strcpy(t, buf); | |
58 | + StrAllocCopy(*t, buf); | |
59 | + FREE(buf); | |
60 | } | |
61 | ||
62 | PUBLIC void HTmmdec_quote ARGS2( | |
63 | - char *, t, | |
64 | + char **, t, | |
65 | char *, s) | |
66 | { | |
67 | - char buf[LINE_LENGTH], cval, *bp, *p; | |
68 | + char *buf, cval, *bp, *p; | |
69 | + | |
70 | + if ((buf = malloc(strlen(s) + 1)) == 0) | |
71 | + outofmem(__FILE__, "HTmmdec_quote"); | |
72 | ||
73 | for (bp = buf; *s; ) { | |
74 | if (*s == '=') { | |
75 | @@ -2147,23 +2148,27 @@ | |
76 | } | |
77 | } | |
78 | *bp = '\0'; | |
79 | - strcpy(t, buf); | |
80 | + StrAllocCopy(*t, buf); | |
81 | + FREE(buf); | |
82 | } | |
83 | ||
84 | /* | |
85 | ** HTmmdecode for ISO-2022-JP - FM | |
86 | */ | |
87 | PUBLIC void HTmmdecode ARGS2( | |
88 | - char *, trg, | |
89 | - char *, str) | |
90 | + char **, target, | |
91 | + char *, source) | |
92 | { | |
93 | - char buf[LINE_LENGTH], mmbuf[LINE_LENGTH]; | |
94 | + char *buf; | |
95 | + char *mmbuf = NULL; | |
96 | + char *m2buf = NULL; | |
97 | char *s, *t, *u; | |
98 | int base64, quote; | |
99 | ||
100 | - buf[0] = '\0'; | |
101 | + if ((buf = malloc(strlen(source) + 1)) == 0) | |
102 | + outofmem(__FILE__, "HTmmdecode"); | |
103 | ||
104 | - for (s = str, u = buf; *s; ) { | |
105 | + for (s = source, u = buf; *s; ) { | |
106 | if (!strncasecomp(s, "=?ISO-2022-JP?B?", 16)) { | |
107 | base64 = 1; | |
108 | } else { | |
109 | @@ -2177,15 +2182,18 @@ | |
110 | if (base64 || quote) { | |
111 | if (HTmmcont) { | |
112 | for (t = s - 1; | |
113 | - t >= str && (*t == ' ' || *t == '\t'); t--) { | |
114 | + t >= source && (*t == ' ' || *t == '\t'); t--) { | |
115 | u--; | |
116 | } | |
117 | } | |
118 | + if (mmbuf == 0) /* allocate buffer big enough for source */ | |
119 | + StrAllocCopy(mmbuf, source); | |
120 | for (s += 16, t = mmbuf; *s; ) { | |
121 | if (s[0] == '?' && s[1] == '=') { | |
122 | break; | |
123 | } else { | |
124 | *t++ = *s++; | |
125 | + *t = '\0'; | |
126 | } | |
127 | } | |
128 | if (s[0] != '?' || s[1] != '=') { | |
129 | @@ -2195,10 +2203,10 @@ | |
130 | *t = '\0'; | |
131 | } | |
132 | if (base64) | |
133 | - HTmmdec_base64(mmbuf, mmbuf); | |
134 | + HTmmdec_base64(&m2buf, mmbuf); | |
135 | if (quote) | |
136 | - HTmmdec_quote(mmbuf, mmbuf); | |
137 | - for (t = mmbuf; *t; ) | |
138 | + HTmmdec_quote(&m2buf, mmbuf); | |
139 | + for (t = m2buf; *t; ) | |
140 | *u++ = *t++; | |
141 | HTmmcont = 1; | |
142 | /* if (*s == ' ' || *s == '\t') *u++ = *s; */ | |
143 | @@ -2211,7 +2219,10 @@ | |
144 | } | |
145 | *u = '\0'; | |
146 | end: | |
147 | - strcpy(trg, buf); | |
148 | + StrAllocCopy(*target, buf); | |
149 | + FREE(m2buf); | |
150 | + FREE(mmbuf); | |
151 | + FREE(buf); | |
152 | } | |
153 | ||
154 | /* | |
155 | @@ -2219,22 +2230,27 @@ | |
156 | ** (The author of this function "rjis" is S. Ichikawa.) | |
157 | */ | |
158 | PUBLIC int HTrjis ARGS2( | |
159 | - char *, t, | |
160 | + char **, t, | |
161 | char *, s) | |
162 | { | |
163 | - char *p, buf[LINE_LENGTH]; | |
164 | + char *p; | |
165 | + char *buf = NULL; | |
166 | int kanji = 0; | |
167 | ||
168 | - if (strchr(s, ESC) || !strchr(s, '$')) { | |
169 | - if (s != t) | |
170 | - strcpy(t, s); | |
171 | + if (strchr(s, CH_ESC) || !strchr(s, '$')) { | |
172 | + if (s != *t) | |
173 | + StrAllocCopy(*t, s); | |
174 | return 1; | |
175 | } | |
176 | + | |
177 | + if ((buf = malloc(strlen(s) * 2 + 1)) == 0) | |
178 | + outofmem(__FILE__, "HTrjis"); | |
179 | + | |
180 | for (p = buf; *s; ) { | |
181 | if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) { | |
182 | if (HTmaybekanji((int)s[2], (int)s[3])) { | |
183 | kanji = 1; | |
184 | - *p++ = ESC; | |
185 | + *p++ = CH_ESC; | |
186 | *p++ = *s++; | |
187 | *p++ = *s++; | |
188 | *p++ = *s++; | |
189 | @@ -2246,7 +2262,7 @@ | |
190 | } | |
191 | if (kanji && s[0] == '(' && (s[1] == 'J' || s[1] == 'B')) { | |
192 | kanji = 0; | |
193 | - *p++ = ESC; | |
194 | + *p++ = CH_ESC; | |
195 | *p++ = *s++; | |
196 | *p++ = *s++; | |
197 | continue; | |
198 | @@ -2255,7 +2271,8 @@ | |
199 | } | |
200 | *p = *s; /* terminate string */ | |
201 | ||
202 | - strcpy(t, buf); | |
203 | + StrAllocCopy(*t, buf); | |
204 | + FREE(buf); | |
205 | return 0; | |
206 | } | |
207 | ||
208 | diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.h lynx2-8-5/WWW/Library/Implementation/HTMIME.h | |
209 | --- lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.h 2003-01-22 04:43:13.000000000 -0500 | |
210 | +++ lynx2-8-5/WWW/Library/Implementation/HTMIME.h 2005-10-12 09:24:50.000000000 -0400 | |
211 | @@ -67,21 +67,13 @@ | |
212 | For handling Japanese headers. | |
213 | ||
214 | */ | |
215 | -extern void HTmmdec_base64 PARAMS(( | |
216 | - char * t, | |
217 | - char * s)); | |
218 | - | |
219 | -extern void HTmmdec_quote PARAMS(( | |
220 | - char * t, | |
221 | - char * s)); | |
222 | - | |
223 | extern void HTmmdecode PARAMS(( | |
224 | - char * trg, | |
225 | - char * str)); | |
226 | + char ** target, | |
227 | + char * source)); | |
228 | ||
229 | extern int HTrjis PARAMS(( | |
230 | - char * t, | |
231 | - char * s)); | |
232 | + char ** target, | |
233 | + char * source)); | |
234 | ||
235 | extern int HTmaybekanji PARAMS(( | |
236 | int c1, | |
237 | diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTNews.c lynx2-8-5/WWW/Library/Implementation/HTNews.c | |
238 | --- lynx2-8-5.orig/WWW/Library/Implementation/HTNews.c 2004-01-07 21:03:09.000000000 -0500 | |
239 | +++ lynx2-8-5/WWW/Library/Implementation/HTNews.c 2005-10-12 09:05:14.000000000 -0400 | |
240 | @@ -940,7 +940,6 @@ | |
241 | } | |
242 | } | |
243 | ||
244 | -#ifdef SH_EX /* for MIME */ | |
245 | #ifdef NEWS_DEBUG | |
246 | /* for DEBUG 1997/11/07 (Fri) 17:20:16 */ | |
247 | void debug_print(unsigned char *p) | |
248 | @@ -962,44 +961,15 @@ | |
249 | } | |
250 | #endif | |
251 | ||
252 | -static char *decode_mime(char *str) | |
253 | +static char *decode_mime(char **str) | |
254 | { | |
255 | - char temp[LINE_LENGTH]; /* FIXME: what determines the actual size? */ | |
256 | - char *p, *q; | |
257 | - | |
258 | - if (str == NULL) | |
259 | - return ""; | |
260 | - | |
261 | +#ifdef SH_LEX | |
262 | if (HTCJK != JAPANESE) | |
263 | - return str; | |
264 | - | |
265 | - LYstrncpy(temp, str, sizeof(temp) - 1); | |
266 | - q = temp; | |
267 | - while ((p = strchr(q, '=')) != 0) { | |
268 | - if (p[1] == '?') { | |
269 | - HTmmdecode(p, p); | |
270 | - q = p + 2; | |
271 | - } else { | |
272 | - q = p + 1; | |
273 | - } | |
274 | - } | |
275 | -#ifdef NEWS_DEBUG | |
276 | - printf("new=["); | |
277 | - debug_print(temp); | |
278 | + return *str; | |
279 | #endif | |
280 | - HTrjis(temp, temp); | |
281 | - strcpy(str, temp); | |
282 | - | |
283 | - return str; | |
284 | + HTmmdecode(str, *str); | |
285 | + return HTrjis(str, *str) ? *str : ""; | |
286 | } | |
287 | -#else /* !SH_EX */ | |
288 | -static char *decode_mime ARGS1(char *, str) | |
289 | -{ | |
290 | - HTmmdecode(str, str); | |
291 | - HTrjis(str, str); | |
292 | - return str; | |
293 | -} | |
294 | -#endif | |
295 | ||
296 | ||
297 | /* Read in an Article read_article | |
298 | @@ -1087,22 +1057,22 @@ | |
299 | ||
300 | } else if (match(full_line, "SUBJECT:")) { | |
301 | StrAllocCopy(subject, HTStrip(strchr(full_line,':')+1)); | |
302 | - decode_mime(subject); | |
303 | + decode_mime(&subject); | |
304 | } else if (match(full_line, "DATE:")) { | |
305 | StrAllocCopy(date, HTStrip(strchr(full_line,':')+1)); | |
306 | ||
307 | } else if (match(full_line, "ORGANIZATION:")) { | |
308 | StrAllocCopy(organization, | |
309 | HTStrip(strchr(full_line,':')+1)); | |
310 | - decode_mime(organization); | |
311 | + decode_mime(&organization); | |
312 | ||
313 | } else if (match(full_line, "FROM:")) { | |
314 | StrAllocCopy(from, HTStrip(strchr(full_line,':')+1)); | |
315 | - decode_mime(from); | |
316 | + decode_mime(&from); | |
317 | ||
318 | } else if (match(full_line, "REPLY-TO:")) { | |
319 | StrAllocCopy(replyto, HTStrip(strchr(full_line,':')+1)); | |
320 | - decode_mime(replyto); | |
321 | + decode_mime(&replyto); | |
322 | ||
323 | } else if (match(full_line, "NEWSGROUPS:")) { | |
324 | StrAllocCopy(newsgroups, HTStrip(strchr(full_line,':')+1)); | |
325 | @@ -1711,8 +1681,8 @@ | |
326 | int, last_required) | |
327 | { | |
328 | char line[LINE_LENGTH+1]; | |
329 | - char author[LINE_LENGTH+1]; | |
330 | - char subject[LINE_LENGTH+1]; | |
331 | + char *author = NULL; | |
332 | + char *subject = NULL; | |
333 | char *date = NULL; | |
334 | int i; | |
335 | char *p; | |
336 | @@ -1723,9 +1693,7 @@ | |
337 | char *reference = NULL; /* Href for article */ | |
338 | int art; /* Article number WITHIN GROUP */ | |
339 | int status, count, first, last; /* Response fields */ | |
340 | - /* count is only an upper limit */ | |
341 | ||
342 | - author[0] = '\0'; | |
343 | START(HTML_HEAD); | |
344 | PUTC('\n'); | |
345 | START(HTML_TITLE); | |
346 | @@ -1946,8 +1914,8 @@ | |
347 | case 'S': | |
348 | case 's': | |
349 | if (match(line, "SUBJECT:")) { | |
350 | - LYstrncpy(subject, line+9, sizeof(subject)-1);/* Save subject */ | |
351 | - decode_mime(subject); | |
352 | + StrAllocCopy(subject, line + 9); | |
353 | + decode_mime(&subject); | |
354 | } | |
355 | break; | |
356 | ||
357 | @@ -1964,10 +1932,8 @@ | |
358 | case 'F': | |
359 | if (match(line, "FROM:")) { | |
360 | char * p2; | |
361 | - LYstrncpy(author, | |
362 | - author_name(strchr(line,':')+1), | |
363 | - sizeof(author)-1); | |
364 | - decode_mime(author); | |
365 | + StrAllocCopy(author, strchr(line, ':') + 1); | |
366 | + decode_mime(&author); | |
367 | p2 = author + strlen(author) - 1; | |
368 | if (*p2==LF) | |
369 | *p2 = '\0'; /* Chop off newline */ | |
370 | @@ -1988,11 +1954,8 @@ | |
371 | ||
372 | PUTC('\n'); | |
373 | START(HTML_LI); | |
374 | -#ifdef SH_EX /* for MIME */ | |
375 | - HTSprintf0(&temp, "\"%s\"", decode_mime(subject)); | |
376 | -#else | |
377 | - HTSprintf0(&temp, "\"%s\"", subject); | |
378 | -#endif | |
379 | + p = decode_mime(&subject); | |
380 | + HTSprintf0(&temp, "\"%s\"", NonNull(p)); | |
381 | if (reference) { | |
382 | write_anchor(temp, reference); | |
383 | FREE(reference); | |
384 | @@ -2001,18 +1964,14 @@ | |
385 | } | |
386 | FREE(temp); | |
387 | ||
388 | - if (author[0] != '\0') { | |
389 | + if (author != NULL) { | |
390 | PUTS(" - "); | |
391 | if (LYListNewsDates) | |
392 | START(HTML_I); | |
393 | -#ifdef SH_EX /* for MIME */ | |
394 | - PUTS(decode_mime(author)); | |
395 | -#else | |
396 | - PUTS(author); | |
397 | -#endif | |
398 | + PUTS(decode_mime(&author)); | |
399 | if (LYListNewsDates) | |
400 | END(HTML_I); | |
401 | - author[0] = '\0'; | |
402 | + FREE(author); | |
403 | } | |
404 | if (date) { | |
405 | if (!diagnostic) { | |
406 | @@ -2055,6 +2014,8 @@ | |
407 | MAYBE_END(HTML_LI); | |
408 | } /* Handle response to HEAD request */ | |
409 | } /* Loop over article */ | |
410 | + FREE(author); | |
411 | + FREE(subject); | |
412 | } /* If read headers */ | |
413 | PUTC('\n'); | |
414 | if (LYListNewsNumbers) |