Re: [cdesktopenv-devel] [PATCH] fix crash in dtdocbook/instant

[Marcin Cieslak]

On Sat, 30 Nov 2019, Marcin Cieslak wrote:

On Fri, 29 Nov 2019, Jon Trulson wrote:

On 11/29/19 9:12 PM, Marcin Cieslak wrote:

On Fri, 29 Nov 2019, Jon Trulson wrote:

#ifndef LinuxDistribution

[...]

- instant tool crashes on locale different than "C"

Crap.  That thing is so delicate.

I fixed that now, it was an one-off error.

So, to get things working on Fedora 30 and Centos 7:

- do not forget to install "ncompress"
- install all locale: for Fedora it's "dnf install glibc-all-langpacks"
- on Centos 7, I have put the following in the config/cf/host.cf file:

#define LinuxDistribution LinuxRedHat
#define TCLLib -ltcl8.5

and, most importantly, the attached patch should fix the crash
during the documentation build.

WRT the patch, nice catch, but:

-    stringLength = (3 * strlen(pArgv)) + 3;
+    stringLength = (3 * strlen(pArgv)) + 4;
 
Since worst case is an 8bit char, and it is encoded like \xff (4) + "(1)
+ "(1) + 0 (1), shouldn't that be:

stringLength = (*4* * strlen(pArgv)) + 3;

...?

Quotes and the terminating 0 are added once in the string:
" \ x f c \ x f c " 0

You are right - we need 4 bytes per character.
My patch worked only because from what I observe literal
text is fed character-by-character.

Fixed patch is attached, thanks!

Marcin
From d64e2840772b476b60a31ac9e4fca57f8f33cfd7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcin=20Cie=C5=9Blak?= <sa...@saper.info>
Date: Sat, 30 Nov 2019 03:51:40 +0000
Subject: [PATCH] dtdocbook/instant: fix buffer overlow on German umlaut in
 latin-1

One-off error:

Old buffer length was 6 for one character (3 * 1 + 3)
We need one more byte par character in the buffer for
the hex representation of it.

+0 '"'
+1 '\\'
+2 'x'
+3 'f'
+4 'c'
+5 '"'
+6 0x0 << overflow

tcl combined with RCHECK will abort because memory blocks
are allocated contiguously and we overwrite the magic marker
of the next block.
---
 cde/programs/dtdocbook/instant/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cde/programs/dtdocbook/instant/main.c 
b/cde/programs/dtdocbook/instant/main.c
index 7dfe91c..a3762bd 100644
--- a/cde/programs/dtdocbook/instant/main.c
+++ b/cde/programs/dtdocbook/instant/main.c
@@ -359,7 +359,7 @@ static int DefaultOutputString(ClientData clientData,
 
     /* leave room for worst case expansion plus quotes plus null */
     pArgv = argv[1];
-    stringLength = (3 * strlen(pArgv)) + 3;
+    stringLength = (4 * strlen(pArgv)) + 3;
 
     string = Tcl_Alloc(stringLength);
     memset(string, 0, stringLength);
-- 
1.8.3.1

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
cdesktopenv-devel mailing list
cdesktopenv-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel