https://bz.apache.org/bugzilla/show_bug.cgi?id=61353
Bug ID: 61353
Summary: escape_sgml_chars doesn't allocate large enough buffer
Product: Rivet
Version: 2.2.3
Hardware: PC
OS: FreeBSD
Status: NEW
Severity: critical
Priority: P2
Component: Rivet Core Commands
Assignee: rivet-dev@tcl.apache.org
Reporter: jlawson-apa...@bovine.net
CC: mxman...@apache.org
Target Milestone: mod_rivet
It's possible to perform a buffer overflow in escape_sgml_chars for very short
strings that contain mostly characters that require escaping because the
temporary buffer allocation is not large enough.
$ tclsh
% package require rivetlib
2.2.3
% puts [::rivet::escape_sgml_chars "&"]
alloc: invalid block: 0x80214f620: ef ef 3b
Abort trap (core dumped)
In Rivet_EscapeSgmlCharsCmd, the following buffer allocation is done, however
the worst case escapement will require 6 characters if the input string
consisted of entirely double-quote characters.
newString = (char *)Tcl_Alloc( (unsigned)origLength * 3 + 1 );
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: rivet-dev-unsubscr...@tcl.apache.org
For additional commands, e-mail: rivet-dev-h...@tcl.apache.org
