[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug-enscript] [bug #38998] get_next_token() crash
|
From: |
Tim Waugh |
|
Subject: |
[bug-enscript] [bug #38998] get_next_token() crash |
|
Date: |
Wed, 15 May 2013 13:56:38 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 |
URL:
<http://savannah.gnu.org/bugs/?38998>
Summary: get_next_token() crash
Project: GNU Enscript
Submitted by: twaugh
Submitted on: Wed 15 May 2013 13:56:36 GMT
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
There is insufficient bounds checking in the get_next_token() function in
psgen.c.
1931 else if (bufpos - 2 > w
1932 && ISOCTAL (buffer[bufpos])
1933 && ISOCTAL (buffer[bufpos - 1])
1934 && ISOCTAL (buffer[bufpos - 2])
1935 && buffer[bufpos - 3] == '\\')
bufpos is an unsigned int, but w is an int. If bufpos < 2, this comparison
evaluates as true.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Wed 15 May 2013 13:56:36 GMT Name: enscript-bufpos-crash.patch Size:
571B By: twaugh
<http://savannah.gnu.org/bugs/download.php?file_id=28087>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?38998>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [bug-enscript] [bug #38998] get_next_token() crash,
Tim Waugh <=