Hi guys,
I was looking at the Aptitude source code, and came across this in the src/download_list.cc file, starting from line 313: > char intbuf[50]; // Waay more than enough. > > sprintf(intbuf, > " [ %sB/%sB ]", > SizeToStr(serf->CurrentSize).c_str(), > SizeToStr(serf->TotalSize).c_str()); It is my understanding that 'serf->TotalSize' is determined by the header values that the webserver sends to the client prior to sending off the whole file. Since it uses the header values given by Apache, is it not possible to spoof those numbers to cause a buffer overflow? Doing a quick check, the same code is used in src/download_item.cc on line 99. SizeToStr goes up to 'YottaBytes', I believe, so if one were to set the size header of '100000000000000000000000000000000000000000 yottabytes', they could cause a buffer overflow. That is 1e+65 bytes. It probably isn't of concern, but I'd just like to report it incase. I think it's good practise too. Since it's not really a serious thing, I won't bother sending this to the Debian security team. Thanks,
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Aptitude-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/aptitude-devel
