Hello…
The following Rivet/Tcl code will reliably crash Apache:
<?
set char_string "&<>\"'/"
puts [escape_sgml_chars $char_string]
?>
Looking at Rivet_EscapeSgmlCharsCmd in rivetWWW.c, the Tcl_Alloc call at line
236 allocates origLength * 3 + 1 bytes.
You can probably already guess what the deal is… & gets mapped to & , < to
< , > to > , ‘ to ' and “ to "
So in the widest case double quotes are mapped to six characters, so a string
containing nothing but double-quotes would need 6 * the size of the original
string, so I believe the line that allocates the new string needs to be changed
to
newString = (char *)Tcl_Alloc( (unsigned)origLength * 6 + 1 );
Thank you for developing, caring for and feeding Rivet.
-karl
