[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
out of bounds array access
From: |
Todd C. Miller |
Subject: |
out of bounds array access |
Date: |
Sat, 25 Oct 2003 17:08:36 -0600 |
_nc_infotocap() can access memory outside the bounds of str.
Found by David Krause using some of the new malloc debugging features
under OpenBSD; a fix by Ted Unangst follows. I don't think this
has security implications but should still be fixed.
- todd
--- ncurses/tinfo/captoinfo.c.DIST Sat Sep 28 10:38:59 2002
+++ ncurses/tinfo/captoinfo.c Sat Oct 25 17:03:07 2003
@@ -649,11 +649,11 @@
/* we may have to move some trailing mandatory padding up front */
padding = str + strlen(str) - 1;
- if (*padding == '>' && *--padding == '/') {
+ if (padding > str && *padding == '>' && *--padding == '/') {
--padding;
while (isdigit(UChar(*padding)) || *padding == '.' || *padding == '*')
padding--;
- if (*padding == '<' && *--padding == '$')
+ if (padding > str && *padding == '<' && *--padding == '$')
trimmed = padding;
padding += 2;
- out of bounds array access,
Todd C. Miller <=