Re: [fossil-users] src/wikiformat.c Is_ticket : It may be better to check the size before memcpy

kowlsd3pw23s Sat, 10 Jun 2017 20:58:02 -0700

It is not a problem on the surface now,
but internally it causes Buffer Overruns.


(1) commit
fossil commit -m "[$(fossil whatis trunk | grep -P "^artifact" | grep -o "[^ 
]*$")] " --allow-empty

(2) insert test code and recomile
Index: src/wikiformat.c
==================================================================
--- src/wikiformat.c
+++ src/wikiformat.c
@@ -1113,10 +1113,17 @@
   int n;
   int rc;
   char zLower[UUID_SIZE+1];
   char zUpper[UUID_SIZE+1];
   n = strlen(zTarget);
+  if (n+1 > sizeof(zLower)){
+   @ <p style="color:red"><b>Error Buffer Overruns:</b>
+   @  n+1 is %d(n+1):
+   @  zLower size%d(sizeof(zLower)).
+   @  UUID_SIZE:%d(UUID_SIZE).
+   @ </p>
+  }
   memcpy(zLower, zTarget, n+1);
   canonical16(zLower, n+1);
   memcpy(zUpper, zLower, n+1);
   zUpper[n-1]++;
   if( once ){

(3) access web timeline page

Result
Leaf:
Error Buffer Overruns: n+1 is 65: zLower size41. UUID_SIZE:40.
[a10fc448ed3fce5113c2a44d18df0172c64a55624c4e21572566144106791b04]

_______________________________________________
fossil-users mailing list
[email protected]
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Re: [fossil-users] src/wikiformat.c Is_ticket : It may be better to check the size before memcpy

Reply via email to