[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fix for possible buffer overrun
|
From: |
Jan Nieuwenhuizen |
|
Subject: |
Fix for possible buffer overrun |
|
Date: |
Mon, 25 Sep 2000 09:42:45 +0200 |
Hi,
Below is a fix for a possible buffer overrun in cat.
A friend of mine, who is quite smart but somehow hasn't found
enlightenment yet, asked me for the sources of the ``world's
most simple though useful'' Free Software program: cat.
Within five minutes, he replied my email saying cat wasn't
a simple a program as he would have liked, but he'd already
found a silly buffer overrun.
His intentions are to write a paper crushing ideas like
``given enough eyeballs all bugs will shallow''. You'll
get the idea. Because he's probably more influential as
a cryptographer than a programmer, I thought it would be
nice to have a good response to any theories he might
bring forward: it's Free Software so i) you can fix it,
oh and ii) btw, it's already been fixed.
Haven't looked at the rest of the code, or textutils for
that matter.
Greetings,
Jan.
diff -urN ../textutils-2.0g/ChangeLog ./ChangeLog
--- ../textutils-2.0g/ChangeLog Sun Aug 6 11:06:19 2000
+++ ./ChangeLog Fri Sep 22 13:53:04 2000
@@ -1,3 +1,9 @@
+2000-09-22 Jan Nieuwenhuizen <address@hidden>
+
+ * src/cat.c (MAX_LINE_BUF): Fixed size of line number buffer to
+ prevent buffer overrun. Replaced raw value by #define.
+ (next_line_num): Fixed (now academic) possible line buffer overrun.
+
2000-08-06 Jim Meyering <address@hidden>
* Version 2.0g.
diff -urN ../textutils-2.0g/src/cat.c ./src/cat.c
--- ../textutils-2.0g/src/cat.c Thu Jun 22 19:09:08 2000
+++ ./src/cat.c Fri Sep 22 13:55:33 2000
@@ -55,19 +55,21 @@
/* Descriptor on which input file is open. */
static int input_desc;
-/* Buffer for line numbers. */
-static char line_buf[13] =
-{' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', '0', '\t', '\0'};
+/* Buffer for line numbers.
+ An 11 digit counter may overflow within an hour on a P2/466,
+ an 18 digit counter needs about 1000y */
+#define MAX_LINE_BUF 20
+static char line_buf[MAX_LINE_BUF] = " 0\t\0";
/* Position in `line_buf' where printing starts. This will not change
unless the number of lines is larger than 999999. */
-static char *line_num_print = line_buf + 5;
+static char *line_num_print = line_buf + MAX_LINE_BUF - 8;
/* Position of the first digit in `line_buf'. */
-static char *line_num_start = line_buf + 10;
+static char *line_num_start =line_buf + MAX_LINE_BUF - 3;
/* Position of the last digit in `line_buf'. */
-static char *line_num_end = line_buf + 10;
+static char *line_num_end = line_buf + MAX_LINE_BUF - 3;
/* Preserves the `cat' function's local `newlines' between invocations. */
static int newlines2 = 0;
@@ -129,7 +131,10 @@
*endp-- = '0';
}
while (endp >= line_num_start);
- *--line_num_start = '1';
+ if (line_num_start > line_buf)
+ *--line_num_start = '1';
+ else
+ *line_buf = '>';
if (line_num_start < line_num_print)
line_num_print--;
}
@@ -788,8 +793,8 @@
{
inbuf = (unsigned char *) xmalloc (insize + 1);
- /* Why are (OUTSIZE - 1 + INSIZE * 4 + 13) bytes allocated for
- the output buffer?
+ /* Why are (OUTSIZE - 1 + INSIZE * 4 + MAX_LINE_BUF) bytes allocated
+ for the output buffer?
A test whether output needs to be written is done when the input
buffer empties or when a newline appears in the input. After
@@ -802,9 +807,10 @@
newline, a line number may be written (according to the given
options) as the first thing in the output buffer. (Done after the
new input is read, but before processing of the input begins.) A
- line number requires seldom more than 13 positions. */
+ line number requires seldom more than MAX_LINE_BUF positions. */
- outbuf = (unsigned char *) xmalloc (outsize - 1 + insize * 4 + 13);
+ outbuf = (unsigned char *) xmalloc (outsize - 1 + insize * 4
+ + MAX_LINE_BUF);
cat (inbuf, insize, outbuf, outsize, quote,
output_tabs, numbers, numbers_at_empty_lines, mark_line_ends,
--
Jan Nieuwenhuizen <address@hidden> | GNU LilyPond - The music typesetter
http://www.xs4all.nl/~jantien | http://www.lilypond.org
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Fix for possible buffer overrun,
Jan Nieuwenhuizen <=