Hi, On Tue, Mar 29, 2022 at 12:52 AM LemonBoy <[email protected]> wrote:
> *@LemonBoy* commented on this pull request. > ------------------------------ > > In src/channel.c > <https://github.com/vim/vim/pull/10025#discussion_r837163064>: > > > + > + // Process each line in the header till an empty line is read (header > + // separator). > + while (TRUE) > + { > + line_start = p; > + while (*p != NUL && *p != '\n') > + p++; > + if (*p == NUL) // partial header > + return MAYBE; > + p++; > + > + // process the content length field (if present) > + if ((p - line_start > 16) > + && STRNICMP(line_start, "Content-Length: ", 16) == 0) > + payload_len = atoi((char *)line_start + 16); > > This line is quite dangerous, a negative content length can and will wreak > havock. > The use of atoi is also problematic, in case of overflow you may be > invoking undefined behaviour, plus the error checking is quite lacking. > This call can be replaced with the use of strtol (and proper error > checking, don't forget the check for ERANGE) and a check to make sure the > value is not negative. > I have changed atoi() to strtol() and added the valid header length checks. Regards, Yegappan > Using unsigned variables for everything that represents a length is also > a good idea. > > > -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/CAAW7x7mbUTqTOWxQL%2B%2BjW5Xic8R%3DiWPSq_Dy8LxZHwaHKYHQcA%40mail.gmail.com.
