On Wed, Nov 30, 2011 at 11:29:10AM +0200, Aki Helin wrote:
> A simple way to avoid the crash would be for example to bound the number
> of bytes sscanf can read, because here the input is something coming from
> outside and sscanf is expecting a representation of a number within the
> valid range.
>
> --- lynx2-8-8/WWW/Library/Implementation/SGML.c 2011-06-13 03:18:54.000000000
> +0300
> +++ lynx2-8-8-scan/WWW/Library/Implementation/SGML.c 2011-11-30
> 11:10:11.000000000 +0200
> @@ -2643,7 +2643,7 @@
> #endif
> if ((context->isHex
> - ? sscanf(string->data, "%lx", &lcode)
> - : sscanf(string->data, "%lu", &lcode)) == 1) {
> + ? sscanf(string->data, "%20lx", &lcode)
> + : sscanf(string->data, "%20lu", &lcode)) == 1) {The drawback to this is that it will succeed when it shouldn't. I made a different fix using strtol which is in ongoing fixes here: ftp://invisible-island.net/temp/lynx2.8.8dev.9d.patch.gz -- Thomas E. Dickey <[email protected]> http://invisible-island.net ftp://invisible-island.net
signature.asc
Description: Digital signature
_______________________________________________ Lynx-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lynx-dev
