-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The greatest bug here is that it tries to parse the webserver directory listing output (which is what I think it does).
V E R Y V E R Y B A D P R A C T I C E ! ! ! On 26.06.2013 16:17, Jaak Ristioja wrote: > Ok, the crash is caused by a NULL pointer dereference, because > > pBufRes = (char *)findSizeStart(pBuf); > > might return NULL after which > > pBuf = pBufRes; > > and > > pBuf++; pBuf = strstr(pBuf, "<a href=\""); > > are executed. The latter strstr expression tries to dereference > (++((char*)NULL)) and crashes. > > Blessings, Jaak > > On 26.06.2013 16:12, Jaak Ristioja wrote: >> This might not be directly related, but looking at >> curlhttpt.cpp, the line: > >> sprintf(possibleName, "%.*s", possibleNameLength, pBuf); > >> Is a potential buffer overflow, because the possibleName buffer >> is 400 bytes, but possibleNameLength is not checked to be < 400. >> So the server might cause a buffer overflow. Imho this is a >> security issue. > >> Looking at the quality of this code, I'm not suprised. > >> Blessings, Jaak > >> On 26.06.2013 15:51, Mark Trompell wrote: >>> I'm trying to access a http repository >>> (http://marktrompell.de/sword/) installmgr -r works fine, -rl >>> too but installmgr segfaults on -ri Same for Xiphos, I can >>> refresh and see what modules are there, but it crashes when I >>> try to install. Probably the repository isn't properly setup, >>> but nevertheless sword shouldn't crash. Attaching 2 backtraces, >>> one from installmgr and the otherone from xiphos. > >>> Blessings Mark -- Mark Trompell > >>> Foresight Linux Xfce Edition Cause your desktop should be >>> freaking cool (and Xfce) > > > >>> _______________________________________________ sword-devel >>> mailing list: sword-devel@crosswire.org >>> http://www.crosswire.org/mailman/listinfo/sword-devel >>> Instructions to unsubscribe/change your settings at above page > > > >> _______________________________________________ sword-devel >> mailing list: sword-devel@crosswire.org >> http://www.crosswire.org/mailman/listinfo/sword-devel >> Instructions to unsubscribe/change your settings at above page > > > > _______________________________________________ sword-devel mailing > list: sword-devel@crosswire.org > http://www.crosswire.org/mailman/listinfo/sword-devel Instructions > to unsubscribe/change your settings at above page > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQgcBAEBAgAGBQJRyurwAAoJEEqsYmEt1rCOwd0//0rPoeMOt2GDpAEgeF5MsTNE NP40tHv1RNhOnn6R9EWUc83OM+ehumTFjpQ+JvGSn9wfkV2rNydYb2jlySbCDxEH lkbxvL0GJzbk4I9oyPO3zxjLPxkQJDXICG42/mWA3F/XjRO/om9ayLHp7aC6gnpe TMhD9NEY3yuPCsEF064UyIfaVISWZ+8sigsVWoVAELrjyUjsMyzs8Bkc4nmEeTFu 75vNspCYZByDHw7KterUPyszFhjeXugEnR4lz/ipGzWDKwGad8+t+3PLZaE6iOxd P55V600nmEWrvFBDcJ9J+r0BDC0oQ+nEDFyqIWPbxNSoBWVNntdqTIRMoaQWE1fd VsgEMI/GxDQpaiz5+K8nMMudqeQ8pM4QSnnJ1sLP/6O3Q1b/jNpLD+PuJUSDsva4 azbXpTA6Xwkr44sl50dwR+JKM5oLpwu14QtKEbue1JNIFwnqsE7xgH4rqQLMHJ2o SqAg93SivXtLYIzWNLcpIXJrdmsP2TW/IJKdB8k19FKn0nXg081EuAIdAM1hE6+M TnK5+pudul6u5P+f8OY2EGvlZx59e2NdrIlQAPTxs044er9hkzNdo+cwZjSlgNy/ QQyGXRBpgex7jLcwR1FL+45jjynSqO4Jjtsb1OkurCykas5JwHRudCCp3e+dhx5W 1PHMgUDC8XFw/zdXAZTOLt0pNz3cm+TYxZdEYlTg/KhoBccGqEHhCY65AaVyCVz3 pVNonMuqg4/hx+RlOAmvNE7o0DrvxZd31uJIsMb/mtyUV/qeBeeTDaqE0UBIIcJd vFe+lkaG2Ahzt1UnrcaKS0ulD1XIl3fG1Mx/yqBnsliTpdx8xdCJzbPsfxW4bzRK KWN/aKKgJQ+MNvaglYLwxP1l2eVThX6pnX0G9lxJNjFejji0ihXxYiuwifbdj29m tVKt2F7EEz4gHtBINxCQcMv6/2YgXvsgi8DlALHqpq+AytYjMrBSYKBcMwptm6WE WwoYYRKRb5PKGYCOs12EoZeyrFNqxlYckK9XN0RXeunWGBLi2yKxdA7EgXiiDQf6 bhnJvt7HJxjG1CFSoYHoNdGcsnwnkUmCb+YEaCZkh+incNBp2HMp+J8jydfMUMQD ur/ZEwDCIBD6hoxMYoFcnrSqiehQOXWnC9nv05SfjWXIv/XMYiuUOinGpH+z9lkp +wkAoOHoukz9vsIPCPqFySQjh+kfv5HqFtg5X7+bfE9VotB7lwubRXpI4MR7qK9M ZRMSdRkFiednuVnrTYwyr6A4Y0clnoxKXgOPQIocKRn2qHlSByvCF95hM/45j3IM uVKlIpIyFAKhQMn8Inod0Cf6YSdnJmTLM09kSruUEjUxpFaDV8LFs6SojRUDgPtk GOi52UlJ9cBSeaJE01LmjkAe+7BQDqQNYc9bBLl50qj9bUFMZGBYPRTaxuc/Hijd Tihcr+IqDXP/LE2JtGLoVhHXT0B3ZsmJgsS+e0+3l8QNIVZGNpUuKMi2pZqTqNHD 7vGfELo0Er6+9eXoEqa0cGFuM5JOLT9mStn25ztn4CKOFgmi2v0LOf+wcIIrJKJb cssG8xqnUevyGuuqGBcvmmBOl13V4dKrawO5G4IwzD9hkCxraa+FjBjtAQIlpPrW nz3gdY6L86j7s89MtEzDia4NUmcI0MZO5s6SEmRM9hh0J6dPZUKOqCSbmsy9cPek HextQrZFt1/pdAZiBbWEYxcT7Wr/ATcX1Q+sRqj6t8HXA1DvfHyx9mPvgK+ooxYs 3iRW1SvxyYGaPLEdHMdNOzlU9/w7JkzIATFMVLDGj9tO3+JaxNaaLLq5dEU9A8cT ZusvBM7ky1dqibMoChzYv4gAwGv23lT5XxuhQzcv6Gii0Uu3qiZrAHS64d98Jfvk cv6GlBsKUGWv/KR/62mKa0kYPWoJ/Xze2I7pkPIvQ2kxyOlO0chd/XEOBZtdCp3X TPI/UYEymzhyvMcwTtpEYgr12kV73AECAv66NrMTStcQGaYFjXH/d/yMTBpGubuB FT5jUHj3UHBCfBDU+bZBvgELPDLOTqZXeh8QFyXYmUn3YchqwaaQnT9qePAk1+M+ c3r1AZqp9QQ78Qk9/CsZ1vGcV+cPAJeMag7C+AZQsQr48ugkFxl3NiUSrXRB70+G PUoNDC5maF5dGKpYHJNtVla1UKJlt46448pj2a26aO0jX2AAY6nUVQWFfA9ShnTt Um4qRyDSMnYI2iM5e66bLjivtfZOlMy/bxSaYxiS1F4IsV+ayxhde/FvwQiTqhrK TG43MuWSiCLQ+Y3HH5OJvbDlzyL1Pe5Cew+fwCusjL0ZXlqmz3k7pjKqvUIXrshj zKm9ArsS89rIsMUOSCK4d9OxrQ4ZE1kBjogH6qgHBYr6xDffVfY9Ox2alQYOIQOn aYTnlSDF0RsSppuBGOa8XFaBAAFkyw/uioAGHQ/bRJCzL/pL82djIuaIaTkcJw8b NGYtdcBs/WPdcwKJGaYvFT03m1ywa3n1wENB6ReEsm6++zXF8hTKZnd/hVce1qp5 Akii2ox8D20O+scertHJyv1Xp4qVQsZt/r1UO9dLGwIZmg7XwdT16qfMCqjZwrDI Bevcz3psQ25Vu3LxUZ3Hv2/BOKIUNQYo2TJDCArre9Wf36+wo8NIyT8AdDNfcVWf HBxvKIhMoXufwtThY+zQtaoepWvUTzZO6xPYxY+fpsrjoq05OYOpvrR9cMBNvD14 TIcO9Xl79zw2EoV1AOiC =U5+1 -----END PGP SIGNATURE----- _______________________________________________ sword-devel mailing list: sword-devel@crosswire.org http://www.crosswire.org/mailman/listinfo/sword-devel Instructions to unsubscribe/change your settings at above page
