debian/cdesktop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dtdocbook/instant: fix buffer overlow on German umlaut in latin-1

Browse Source 
One-off error:

Old buffer length was 6 for one character (3 * 1 + 3)
We need one more byte par character in the buffer for
the hex representation of it.

+0 '"'
+1 '\\'
+2 'x'
+3 'f'
+4 'c'
+5 '"'
+6 0x0 << overflow

tcl combined with RCHECK will abort because memory blocks
are allocated contiguously and we overwrite the magic marker
of the next block.
This commit is contained in:
Marcin Cieślak
2019-11-30 03:51:40 +00:00
committed by Jon Trulson
parent 9221c55a5f
commit 5cebd7c4da
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cde/programs/dtdocbook/instant/main.c
View File

@@ -359,7 +359,7 @@ static int DefaultOutputString(ClientData clientData,
/* leave room for worst case expansion plus quotes plus null */ /* leave room for worst case expansion plus quotes plus null */
pArgv = argv[1]; pArgv = argv[1];
stringLength = (3 * strlen(pArgv)) + 3; stringLength = (4 * strlen(pArgv)) + 3;
string = Tcl_Alloc(stringLength); string = Tcl_Alloc(stringLength);
memset(string, 0, stringLength); memset(string, 0, stringLength);