out of bounds array access

bug-ncurses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

out of bounds array access

From:	Todd C. Miller
Subject:	out of bounds array access
Date:	Sat, 25 Oct 2003 17:08:36 -0600

_nc_infotocap() can access memory outside the bounds of str.
Found by David Krause using some of the new malloc debugging features
under OpenBSD; a fix by Ted Unangst follows.  I don't think this
has security implications but should still be fixed.

 - todd

--- ncurses/tinfo/captoinfo.c.DIST      Sat Sep 28 10:38:59 2002
+++ ncurses/tinfo/captoinfo.c   Sat Oct 25 17:03:07 2003
@@ -649,11 +649,11 @@
 
     /* we may have to move some trailing mandatory padding up front */
     padding = str + strlen(str) - 1;
-    if (*padding == '>' && *--padding == '/') {
+    if (padding > str && *padding == '>' && *--padding == '/') {
        --padding;
        while (isdigit(UChar(*padding)) || *padding == '.' || *padding == '*')
            padding--;
-       if (*padding == '<' && *--padding == '$')
+       if (padding > str && *padding == '<' && *--padding == '$')
            trimmed = padding;
        padding += 2;

[Prev in Thread]

Current Thread

[Next in Thread]

out of bounds array access, Todd C. Miller <=
- Re: out of bounds array access, Thomas Dickey, 2003/10/25

Prev by Date: ncurses-5.3-20031018.patch.gz
Next by Date: ncurses-5.3-20031025.patch.gz
Previous by thread: ncurses-5.3-20031018.patch.gz
Next by thread: Re: out of bounds array access
Index(es):
- Date
- Thread