external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-03-09 15:50:02 +00:00
Code Issues Releases Wiki Activity

dtdocbook/instant: fix buffer overlow on German umlaut in latin-1

Browse source 
One-off error:

Old buffer length was 6 for one character (3 * 1 + 3)
We need one more byte par character in the buffer for
the hex representation of it.

+0 '"'
+1 '\\'
+2 'x'
+3 'f'
+4 'c'
+5 '"'
+6 0x0 << overflow

tcl combined with RCHECK will abort because memory blocks
are allocated contiguously and we overwrite the magic marker
of the next block.
This commit is contained in:
Marcin Cieślak 2019-11-30 03:51:40 +00:00 committed by Jon Trulson
parent 9221c55a5f
commit 5cebd7c4da
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cde/programs/dtdocbook/instant/main.c
View file

@ -359,7 +359,7 @@ static int DefaultOutputString(ClientData clientData,
/* leave room for worst case expansion plus quotes plus null */ /* leave room for worst case expansion plus quotes plus null */
pArgv = argv[1]; pArgv = argv[1];
stringLength = (3 * strlen(pArgv)) + 3; stringLength = (4 * strlen(pArgv)) + 3;
string = Tcl_Alloc(stringLength); string = Tcl_Alloc(stringLength);
memset(string, 0, stringLength); memset(string, 0, stringLength);