Thank you for reporting this. It's been fixed now in branches2.3 and
trunk as well
-- Massimo
On 12/07/2016 12:55 AM, Karl Lehenbauer wrote:
Hello…
The following Rivet/Tcl code will reliably crash Apache:
<?
set char_string "&<>\"'/"
puts [escape_sgml_chars $char_string]
?>
Looking at Rivet_EscapeSgmlCharsCmd in rivetWWW.c, the Tcl_Alloc call at
line 236 allocates *origLength * 3 + 1* bytes.
You can probably already guess what the deal is… & gets mapped to
*&* , < to *<* , > to *>* , ‘ to *'* and “ to *"*
* *
So in the widest case double quotes are mapped to six characters, so a
string containing nothing but double-quotes would need 6 * the size of
the original string, so I believe the line that allocates the new string
needs to be changed to
newString = (char *)Tcl_Alloc( (unsigned)origLength * 6 + 1 );
Thank you for developing, caring for and feeding Rivet.
-karl
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscr...@tcl.apache.org
For additional commands, e-mail: rivet-dev-h...@tcl.apache.org
