On Mon, Jul 1, 2013 at 5:46 PM, Jaak Ristioja <j...@ristioja.ee> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01.07.2013 14:45, Mark Trompell wrote:
>> how do we know that pBuf++ is actually not outside our buffer? > > You mean pBuf before pBuf = strstr(pBuf, "<a href=\"") ? Because it > points past the last double quote found in a \0-terminated string. Okay, got that. >> btw, why abort if pBufRes > pBuf? > > I don't understand your question, but this did help me find a bug in > my patch. Here's an amendment: Question is how can pBufRes get <= pBuf, if the char is found it is >= pBuf or NULL if char isn't found. The only reason for pBuf==pBufRes I can imagine is a <a href=""> which is annoying but not really a reason for aborting, which is what assert does in case the assertion fails. We might still want to use the other filenames found. >> why not something like probably even uglier attached patch? I want >> to get deeper inside C and C++ so I want to understand. >> >> On Thu, Jun 27, 2013 at 10:33 PM, Jaak Ristioja <j...@ristioja.ee> >> wrote: Patch for pointer dereference issue: >> >> >> https://gitorious.org/~jotik/sword-svn-mirrors/jotiks-sword-trunk/commit/1b8ab91ff994c8584d6c61cb7d334273732d8216 >> >> Patch for buffer overflow: >> >> >> https://gitorious.org/~jotik/sword-svn-mirrors/jotiks-sword-trunk/commit/4a261b27a7bec9d9300da6c357666a3851f3d34e >> >> There you go! Took me half an hour. >> >> Blessings, Jaak >> >> On 27.06.2013 22:41, Mark Trompell wrote: >>>>> I see. I'll try to come up with a better patch on Monday. I >>>>> won't have time earlier. Blessings Mark --- Ursprüngl. >>>>> Mitteilung --- Von: Jaak Ristioja Gesend.: 27.06.2013, 16:15 >>>>> An: sword-devel@crosswire.org Betreff: Re: [sword-devel] >>>>> installmgr (and xiphos) crashes (svn 2831) >>>>> >>>>> >>>>> I think you only fixed pBuf not being set to NULL >>>>> prematurely. But this: >>>>> >>>>> memset(possibleName, 0, 400); >>>>> >>>>> doesn't help. The sprintf function always writes a >>>>> terminating \0 character. The problem is not that a \0 >>>>> character is not written, because it is written (unless a >>>>> memory error occurs first). The problem is that if >>>>> possibleNameLength > 399 then it writes the characters >>>>> (including the terminating \0 character) past the end of the >>>>> possibleName buffer, corrupting memory, potentially outside >>>>> of the virtual address space of the program (usually >>>>> triggering the OS to kill the process with a segfault or >>>>> something). >>>>> >>>>> The memset call is not needed, but it should be checked that >>>>> possibleNameLength < 400 (strictly "less-than"). Otherwise >>>>> >>>>> sprintf(possibleName, "%.*s", possibleNameLength, pBuf); >>>>> >>>>> is a security vulnerability. I wonder whether a CVE is >>>>> required. >>>>> >>>>> >>>>> Blessings, Jaak >>>>> >>>>> On 27.06.2013 14:45, Mark Trompell wrote: >>>>>> Sending again with tabs instead of blancs in the first >>>>>> hunk >>>>> >>>>>> On Thu, Jun 27, 2013 at 1:17 PM, Mark Trompell >>>>>> <m...@foresightlinux.org> wrote: >>>>>>> I just fixed it :). Attached patch will initialize >>>>>>> possibleNames with 0 bytes to make sure we always have >>>>>>> the name 0 terminated properly. and it will move the >>>>>>> pBuf=pBufRes into the check for ifBufRes != NULL, in case >>>>>>> no filesize is found (because of another apache is >>>>>>> displaying it differently) Shouldn't break existing >>>>>>> setups. >>>>> >>>>> >>>>> >>>>> >>>>>> _______________________________________________ >>>>>> sword-devel mailing list: sword-devel@crosswire.org >>>>>> http://www.crosswire.org/mailman/listinfo/sword-devel >>>>>> Instructions to unsubscribe/change your settings at above >>>>>> page >>>>> >>>>> >>>>> >>>>> _______________________________________________ sword-devel >>>>> mailing list: sword-devel@crosswire.org >>>>> http://www.crosswire.org/mailman/listinfo/sword-devel >>>>> Instructions to unsubscribe/change your settings at above >>>>> page >>>>> >>>>> >>>>> _______________________________________________ sword-devel >>>>> mailing list: sword-devel@crosswire.org >>>>> http://www.crosswire.org/mailman/listinfo/sword-devel >>>>> Instructions to unsubscribe/change your settings at above >>>>> page >>>>> >> >>> >>> _______________________________________________ sword-devel >>> mailing list: sword-devel@crosswire.org >>> http://www.crosswire.org/mailman/listinfo/sword-devel >>> Instructions to unsubscribe/change your settings at above page >> >> >> >> >> >> _______________________________________________ sword-devel mailing >> list: sword-devel@crosswire.org >> http://www.crosswire.org/mailman/listinfo/sword-devel Instructions >> to unsubscribe/change your settings at above page >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.20 (GNU/Linux) > > iQgcBAEBAgAGBQJR0aRTAAoJEEqsYmEt1rCObWtAAMZGEzsbD5kLFfygnT3nYmWG > W22SM41J1hcorszkFoeu5d2AE9X1J8jRWq6rZ7wwh2OpSxCgyp/UiW/AghRlZrw6 > xkzhsAOKR1CvQVs4ILYcfM0ODwYgCTvxrJ8YGHVpW/Qadr0Ld9moXPEmHTHPqDYv > 5GHqOzdZ9UlWnuRSBgPiiCIXV3eqzrvgXOGTm8dBneYGY0wioSXah+Ps6SreT1Ik > YRmJBK+vlcDi50hoDbnsQ42AT4Ou3YijF+SDVh8sCa0GYb33iMfny2uedVLKl67G > grhlLLkLS5Z9iPx+ZyTUCeGkTmvAY21wyvJgxsiTPqEVWPmLKnyz2u7SlfZOGeWa > u+C69pz3hHYiZO5bhRPL0vvh8voXhPWyHXY3Us5pQvsCF33ShgfHcVcp9UrpF/mz > D+WGEANOPEZq6/cLUg2haLHy83xKNLA8lVT1j5bLuhEFkS1ung/MRCesVTr68QxE > twAmwJXzev5EhejYBqHMlPWlfKxsmDYgTNGJ3rkg84V4Eg192ORrt217Y242HJiY > H4qxBjWSEfHZNEc/pWqStoJpEyCos+PyamgKLoQljyVOEd/iTzfJUM9EmwnmFU1Z > QzVzj2tcf6nksX9uP5e1AtuK6mALpdiLis8l6R2elnXLgv9NHwq7gwnIaHLXx+2W > JSgnk0I1B/Y0VFv5AjvDQcCXmK/9vp+PINsQsiNf/FQIzFyeZ3viHmGud7Di+viE > nd8oOLz0fypSn9qC3g2Ovt553SxDgiZRbsmjSjcfaogLznFpauk723gaJDlMtjnx > df0MINi1KVU91Fw0GVfk1mIaJs0YnxjK7MPKTRwznFAe0nGMevD2c64/mXH5prQ2 > E1fqn1hW2M7Dv0ogITtJtPJvkuuKxrKm+WV7iucL1n+enIcBggbEgCvBJaXhEJgg > SeecOhrPTSUZusHWRwq2DPqWCtD2ZtaZqpHr3sk6KInHIRggGqznAuaC4/I1vY/k > +hyKPlPmmlRaaL/MoIOD5HUDbamRaLGf63JNhUwcD5xQnrB4ENLmL0YIiyyP0CXm > 81wFC+UyPQHBdP2JUhpM+LCHPzJWfkzh+mE4UhnXFJd+wO6bOlg/wE53xpF0gULJ > NAyinINZ1OVDplJeT8MfQjzG1PyJhYvSKyolFEhgSoMVCyNK9BKPlFByGyE/R+qh > ko93S7epKQrJuNX4b3ueULEMctk3Cc9oFlgMoK0aeDkl+JOSvRSYnf+VbE+qEtkt > mar6rsckmtmS2rEbtJOS4oRMzxCl5fy/umBxObXCrvUuo5/o/a/40Y/OX2h8SHqi > r3JlhFlZu7bllt3E+GCN2ZHu+nKXRRPkNKVkPHLNkI2VnewXn4wOmLorGs3hS7Vb > GaOcuDxZTMGxBd00LuPjPLfCA+p9UYQkzU/uUsGBDa5oaz0hiBD8nBvrz21Obc3/ > gbJwfF2/QHbVyPQJfmwTTh/1ttwuE5UC5A7/tidQNVSp478WKMJOUvBrCMf6ZmW9 > EudcpP47qQCfJahdWWyFFzPUFm3G2qWl8knjRuPvY6VHLDstukKhspN79LpnM2mD > d62o3OcnMoKRLTfAE0/MIO7UDnOdrmtzO8hzt5s4F/LOqIuF2P/+1R6TYhwzmsad > YPPlW5RAq/OYFQ6LOsjeocvK7JFN936sw3LitLueiaa5PoLf9DdorzV+RzeZajfV > hOaxQgUAgm7HE8egHWOO4ukqVNouHasKdxMpT9S/AsOxcXYa6PehxUB43e46xTPS > qRm3Veby/NhdxmsCtWg8t/EkUPoR38Hm0yEbxLrIe9VFGKbsAoRulR65qGMAE1QW > HjGT6vowbg1BxW3ADA21G7upmdmktZzKoVcsWjEvPABQZC3NBbO1tPRGVhz3OWuE > IjlJ9ELB5xjghp/3gyZpfi7TOhSV9qis6PKZSE8g8sBZm3ucxcCTOQtAHvIHPzaP > U4FYUd4cKlOuR0Rdbv1LIc5iJwV3/dA7goj2nsQL7oi1YL8pF8sFU78P3b+wCyYo > 7kCIJv/TIgOsxfnkFWuaZ85zo9XCjnjrLU3cHYCoNyD1+lXfcSkh7GsTMYPSA94S > 4AHBnvSU28CIp0RN0KBnP8RQPFxmrCcxaltE9XczDwt7VHEohlDfbbcz5xA3JLN9 > Ti4kKVh9PDnZhNlKoSKDOLoLhn3QmsY+bEcwd8tgl/sKznDbP9GWFHgZQq0hOkl3 > WmcchQSuWWC27h3VDQES16gTEryQDpnVkJWqQJi7vuZFtgcu9i6lgIDRKcVQbC2A > LBz0LmOWvI3v4XNSAfEdaS2ALvGTbDmy2jLCY2p748CRk2tG3LVVZvEy4NLtIpJC > vb6VhfwQlCc7tL8Ib9arHtAimQ7155fj+2mLV8HFRycrpP1naHSb1rIJagoWBbQH > jvQrXTpztsKzm2svYAs36wDHVM/uVtk4k/8rF2kkquThO00ID/wQ/2t9i6hNWj0/ > sn11PN2UZH4WdSvR5PrwbvzNyb/3zztlcEDLtMOKVLtu60dQt7jVkjyiGK+FECEj > Ai+JnTcOo+5J7sUqWhPA6t3K3eqXcPJuFtEVOfkPmR//ibwqCbYGwB5PxFn/Ki6p > XNY7XTliEMF+y6VOZMhcwrEWCJCMOQH3xTXzWZYVBbA6BIF++yD25ktWeK70K6EA > IoSsjupW7DofUqrReDahGYh4d8Jv9tRWJvEu6pLxy7dMGw8RjciebUvQKK0P5Aoq > VSIvQ+cbuAe8jkdMhvjp > =VHBE > -----END PGP SIGNATURE----- > > _______________________________________________ > sword-devel mailing list: sword-devel@crosswire.org > http://www.crosswire.org/mailman/listinfo/sword-devel > Instructions to unsubscribe/change your settings at above page -- Mark Trompell Foresight Linux Xfce Edition Cause your desktop should be freaking cool (and Xfce) _______________________________________________ sword-devel mailing list: sword-devel@crosswire.org http://www.crosswire.org/mailman/listinfo/sword-devel Instructions to unsubscribe/change your settings at above page
