1 diff -urN lynx2-8-5.orig/CHANGES lynx2-8-5/CHANGES
2 --- lynx2-8-5.orig/CHANGES 2004-02-04 07:07:09.000000000 -0500
3 +++ lynx2-8-5/CHANGES 2005-10-12 09:26:54.000000000 -0400
5 Changes since Lynx 2.8 release
6 ===============================================================================
8 +2005-0?-?? (2.8.5rel.1)
9 +* eliminate fixed-size buffers in HTrjis() and related functions to avoid
10 + potential buffer overflow in nntp pages (report by Ulf Harnhammar).
11 + Back-ported from Thomas Dickey's patch to 2.8.6dev.13 by Seemant Kulleen
13 2004-02-04 (2.8.5rel.1)
14 * build fixes for MINGW32 -DK
15 * build fixes for OS/2 (reported by IZ) -TD
16 diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.c lynx2-8-5/WWW/Library/Implementation/HTMIME.c
17 --- lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.c 2004-01-07 21:03:09.000000000 -0500
18 +++ lynx2-8-5/WWW/Library/Implementation/HTMIME.c 2005-10-12 09:22:59.000000000 -0400
19 @@ -2062,15 +2062,9 @@
21 ** Written by S. Ichikawa,
22 ** partially inspired by encdec.c of <jh@efd.lth.se>.
23 -** Assume caller's buffer is LINE_LENGTH bytes, these decode to
24 -** no longer than the input strings.
25 +** Caller's buffers decode to no longer than the input strings.
27 -#define LINE_LENGTH 512 /* Maximum length of line of ARTICLE etc */
31 #include <LYCharVals.h> /* S/390 -- gil -- 0163 */
34 PRIVATE char HTmm64[] =
35 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" ;
36 @@ -2078,11 +2072,14 @@
37 PRIVATE int HTmmcont = 0;
39 PUBLIC void HTmmdec_base64 ARGS2(
45 - char buf[LINE_LENGTH], *bp, nw[4], *p;
46 + char *buf, *bp, nw[4], *p;
48 + if ((buf = malloc(strlen(s) * 3 + 1)) == 0)
49 + outofmem(__FILE__, "HTmmdec_base64");
51 for (bp = buf; *s; s += 4) {
53 @@ -2113,14 +2110,18 @@
58 + StrAllocCopy(*t, buf);
62 PUBLIC void HTmmdec_quote ARGS2(
67 - char buf[LINE_LENGTH], cval, *bp, *p;
68 + char *buf, cval, *bp, *p;
70 + if ((buf = malloc(strlen(s) + 1)) == 0)
71 + outofmem(__FILE__, "HTmmdec_quote");
73 for (bp = buf; *s; ) {
75 @@ -2147,23 +2148,27 @@
80 + StrAllocCopy(*t, buf);
85 ** HTmmdecode for ISO-2022-JP - FM
87 PUBLIC void HTmmdecode ARGS2(
93 - char buf[LINE_LENGTH], mmbuf[LINE_LENGTH];
101 + if ((buf = malloc(strlen(source) + 1)) == 0)
102 + outofmem(__FILE__, "HTmmdecode");
104 - for (s = str, u = buf; *s; ) {
105 + for (s = source, u = buf; *s; ) {
106 if (!strncasecomp(s, "=?ISO-2022-JP?B?", 16)) {
109 @@ -2177,15 +2182,18 @@
110 if (base64 || quote) {
113 - t >= str && (*t == ' ' || *t == '\t'); t--) {
114 + t >= source && (*t == ' ' || *t == '\t'); t--) {
118 + if (mmbuf == 0) /* allocate buffer big enough for source */
119 + StrAllocCopy(mmbuf, source);
120 for (s += 16, t = mmbuf; *s; ) {
121 if (s[0] == '?' && s[1] == '=') {
128 if (s[0] != '?' || s[1] != '=') {
129 @@ -2195,10 +2203,10 @@
133 - HTmmdec_base64(mmbuf, mmbuf);
134 + HTmmdec_base64(&m2buf, mmbuf);
136 - HTmmdec_quote(mmbuf, mmbuf);
137 - for (t = mmbuf; *t; )
138 + HTmmdec_quote(&m2buf, mmbuf);
139 + for (t = m2buf; *t; )
142 /* if (*s == ' ' || *s == '\t') *u++ = *s; */
143 @@ -2211,7 +2219,10 @@
148 + StrAllocCopy(*target, buf);
155 @@ -2219,22 +2230,27 @@
156 ** (The author of this function "rjis" is S. Ichikawa.)
158 PUBLIC int HTrjis ARGS2(
163 - char *p, buf[LINE_LENGTH];
168 - if (strchr(s, ESC) || !strchr(s, '$')) {
171 + if (strchr(s, CH_ESC) || !strchr(s, '$')) {
173 + StrAllocCopy(*t, s);
177 + if ((buf = malloc(strlen(s) * 2 + 1)) == 0)
178 + outofmem(__FILE__, "HTrjis");
180 for (p = buf; *s; ) {
181 if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) {
182 if (HTmaybekanji((int)s[2], (int)s[3])) {
189 @@ -2246,7 +2262,7 @@
191 if (kanji && s[0] == '(' && (s[1] == 'J' || s[1] == 'B')) {
198 @@ -2255,7 +2271,8 @@
200 *p = *s; /* terminate string */
203 + StrAllocCopy(*t, buf);
208 diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.h lynx2-8-5/WWW/Library/Implementation/HTMIME.h
209 --- lynx2-8-5.orig/WWW/Library/Implementation/HTMIME.h 2003-01-22 04:43:13.000000000 -0500
210 +++ lynx2-8-5/WWW/Library/Implementation/HTMIME.h 2005-10-12 09:24:50.000000000 -0400
212 For handling Japanese headers.
215 -extern void HTmmdec_base64 PARAMS((
219 -extern void HTmmdec_quote PARAMS((
223 extern void HTmmdecode PARAMS((
229 extern int HTrjis PARAMS((
235 extern int HTmaybekanji PARAMS((
237 diff -urN lynx2-8-5.orig/WWW/Library/Implementation/HTNews.c lynx2-8-5/WWW/Library/Implementation/HTNews.c
238 --- lynx2-8-5.orig/WWW/Library/Implementation/HTNews.c 2004-01-07 21:03:09.000000000 -0500
239 +++ lynx2-8-5/WWW/Library/Implementation/HTNews.c 2005-10-12 09:05:14.000000000 -0400
244 -#ifdef SH_EX /* for MIME */
246 /* for DEBUG 1997/11/07 (Fri) 17:20:16 */
247 void debug_print(unsigned char *p)
248 @@ -962,44 +961,15 @@
252 -static char *decode_mime(char *str)
253 +static char *decode_mime(char **str)
255 - char temp[LINE_LENGTH]; /* FIXME: what determines the actual size? */
262 if (HTCJK != JAPANESE)
265 - LYstrncpy(temp, str, sizeof(temp) - 1);
267 - while ((p = strchr(q, '=')) != 0) {
280 - HTrjis(temp, temp);
284 + HTmmdecode(str, *str);
285 + return HTrjis(str, *str) ? *str : "";
288 -static char *decode_mime ARGS1(char *, str)
290 - HTmmdecode(str, str);
297 /* Read in an Article read_article
298 @@ -1087,22 +1057,22 @@
300 } else if (match(full_line, "SUBJECT:")) {
301 StrAllocCopy(subject, HTStrip(strchr(full_line,':')+1));
302 - decode_mime(subject);
303 + decode_mime(&subject);
304 } else if (match(full_line, "DATE:")) {
305 StrAllocCopy(date, HTStrip(strchr(full_line,':')+1));
307 } else if (match(full_line, "ORGANIZATION:")) {
308 StrAllocCopy(organization,
309 HTStrip(strchr(full_line,':')+1));
310 - decode_mime(organization);
311 + decode_mime(&organization);
313 } else if (match(full_line, "FROM:")) {
314 StrAllocCopy(from, HTStrip(strchr(full_line,':')+1));
316 + decode_mime(&from);
318 } else if (match(full_line, "REPLY-TO:")) {
319 StrAllocCopy(replyto, HTStrip(strchr(full_line,':')+1));
320 - decode_mime(replyto);
321 + decode_mime(&replyto);
323 } else if (match(full_line, "NEWSGROUPS:")) {
324 StrAllocCopy(newsgroups, HTStrip(strchr(full_line,':')+1));
325 @@ -1711,8 +1681,8 @@
328 char line[LINE_LENGTH+1];
329 - char author[LINE_LENGTH+1];
330 - char subject[LINE_LENGTH+1];
331 + char *author = NULL;
332 + char *subject = NULL;
336 @@ -1723,9 +1693,7 @@
337 char *reference = NULL; /* Href for article */
338 int art; /* Article number WITHIN GROUP */
339 int status, count, first, last; /* Response fields */
340 - /* count is only an upper limit */
346 @@ -1946,8 +1914,8 @@
349 if (match(line, "SUBJECT:")) {
350 - LYstrncpy(subject, line+9, sizeof(subject)-1);/* Save subject */
351 - decode_mime(subject);
352 + StrAllocCopy(subject, line + 9);
353 + decode_mime(&subject);
357 @@ -1964,10 +1932,8 @@
359 if (match(line, "FROM:")) {
362 - author_name(strchr(line,':')+1),
364 - decode_mime(author);
365 + StrAllocCopy(author, strchr(line, ':') + 1);
366 + decode_mime(&author);
367 p2 = author + strlen(author) - 1;
369 *p2 = '\0'; /* Chop off newline */
370 @@ -1988,11 +1954,8 @@
374 -#ifdef SH_EX /* for MIME */
375 - HTSprintf0(&temp, "\"%s\"", decode_mime(subject));
377 - HTSprintf0(&temp, "\"%s\"", subject);
379 + p = decode_mime(&subject);
380 + HTSprintf0(&temp, "\"%s\"", NonNull(p));
382 write_anchor(temp, reference);
384 @@ -2001,18 +1964,14 @@
388 - if (author[0] != '\0') {
389 + if (author != NULL) {
393 -#ifdef SH_EX /* for MIME */
394 - PUTS(decode_mime(author));
398 + PUTS(decode_mime(&author));
406 @@ -2055,6 +2014,8 @@
408 } /* Handle response to HEAD request */
409 } /* Loop over article */
412 } /* If read headers */
414 if (LYListNewsNumbers)