[sword-devel] installmgr (and xiphos) crashes (svn 2831)

[Mark Trompell]

At:

248	250				pBuf++;
249	251				pBuf = strstr(pBuf, "<a href=\"");//Find the next link to a
possible file name.

how do we know that pBuf++ is actually not outside our buffer?
btw, why abort if pBufRes > pBuf?
why not something like probably even uglier attached patch?
I want to get deeper inside C and C++ so I want to understand.

On Thu, Jun 27, 2013 at 10:33 PM, Jaak Ristioja <jaak at ristioja.ee> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Patch for pointer dereference issue:
>
>
> https://gitorious.org/~jotik/sword-svn-mirrors/jotiks-sword-trunk/commit/1b8ab91ff994c8584d6c61cb7d334273732d8216
>
> Patch for buffer overflow:
>
>
> https://gitorious.org/~jotik/sword-svn-mirrors/jotiks-sword-trunk/commit/4a261b27a7bec9d9300da6c357666a3851f3d34e
>
> There you go! Took me half an hour.
>
> Blessings,
> Jaak
>
> On 27.06.2013 22:41, Mark Trompell wrote:
>> I see. I'll try to come up with a better patch on Monday. I won't
>> have time earlier. Blessings Mark --- Ursprüngl. Mitteilung ---
>> Von: Jaak Ristioja Gesend.:  27.06.2013, 16:15 An:
>> sword-devel at crosswire.org Betreff: Re: [sword-devel] installmgr
>> (and xiphos) crashes (svn 2831)
>>
>>
>> I think you only fixed pBuf not being set to NULL prematurely. But
>> this:
>>
>> memset(possibleName, 0, 400);
>>
>> doesn't help. The sprintf function always writes a terminating \0
>> character. The problem is not that a \0 character is not written,
>> because it is written (unless a memory error occurs first). The
>> problem is that if possibleNameLength > 399 then it writes the
>> characters (including the terminating \0 character) past the end
>> of the possibleName buffer, corrupting memory, potentially outside
>> of the virtual address space of the program (usually triggering the
>> OS to kill the process with a segfault or something).
>>
>> The memset call is not needed, but it should be checked that
>> possibleNameLength < 400 (strictly "less-than"). Otherwise
>>
>> sprintf(possibleName, "%.*s", possibleNameLength, pBuf);
>>
>> is a security vulnerability. I wonder whether a CVE is required.
>>
>>
>> Blessings, Jaak
>>
>>  On 27.06.2013 14:45, Mark Trompell wrote:
>>> Sending again with tabs instead of blancs in the first hunk
>>
>>> On Thu, Jun 27, 2013 at 1:17 PM, Mark Trompell
>>> <mark at foresightlinux.org> wrote:
>>>> I just fixed it :). Attached patch will initialize
>>>> possibleNames with 0 bytes to make sure we always have the name
>>>> 0 terminated properly. and it will move the pBuf=pBufRes into
>>>> the check for ifBufRes != NULL, in case no filesize is found
>>>> (because of another apache is displaying it differently)
>>>> Shouldn't break existing setups.
>>
>>
>>
>>
>>> _______________________________________________ sword-devel
>>> mailing list: sword-devel at crosswire.org
>>> http://www.crosswire.org/mailman/listinfo/sword-devel
>>> Instructions to unsubscribe/change your settings at above page
>>
>>
>>
>> _______________________________________________ sword-devel mailing
>> list: sword-devel at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/sword-devel Instructions
>> to unsubscribe/change your settings at above page
>>
>>
>> _______________________________________________ sword-devel mailing
>> list: sword-devel at crosswire.org
>> http://www.crosswire.org/mailman/listinfo/sword-devel Instructions
>> to unsubscribe/change your settings at above page
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.20 (GNU/Linux)
>
> iQgcBAEBAgAGBQJRzKGMAAoJEEqsYmEt1rCOKTI//ive2vm6lFnJkuBfZHBsGnSF
> aSm5JAyksfatvrQ7rcFsL9WOINMAXXZW9qQ6w7PThxreEBUALuE9iSGF6RaSzWkW
> Q6mBXZuX2ROHYFY9PbtfA5K6c2roNLF03o88YKafADORlCqXpgPfLsY1lL2G9q8w
> LjmMOQGyCPAxzOdgr8Ll5mjWhv71X00n11Z0lK7QOct58Jj/yHTi/0/IoOdplZeo
> neWK83hbo/yFlrSP37mzBvLAQKEXEHaQdHRi2bj9jL9KCT70WC0QB8BkJDGqhh70
> U7IHkTBrH+AaWD0jlirFUTe6rs1jm3Zgn/mqCiM8yFb2/RBT/csn0TOpCYvLIu+9
> WXTjXRn7Vix/r2c1opejigM2387rYXkhQCdQxqddqlkrO92aLKuCsZWi5mfRceYA
> hBayFPUe6CHUJoQYCtvPDx9Tfcr2tgWhmyLvbQzjNqFsaVpiFGEoAltPqe6nw/9U
> 8WuZwQnLuAs1sM08FL18kZ2qtOFf26iSLHmJamipBork9Pd3NsJBsct4w28/3KDh
> hLQD3sZ9sKWrTKNwyYY+dqXQThdMeL1zcKrjyUHnyYDnH67hwDEDGlEuvVTCzdbb
> CEZ5iJvYRKQ7ylUSKWqVUa976OwRGbAoCeTsuxbCe1RTuXiVYtV9GqKo2Rbipp2e
> 52hHXd7RgszlVq5Wk3QdWwa7kKm8OTbKsNrMcBWlkBdTBbVlDaM8QIkmCs3ZwXEa
> C6bzKX6vAqgZrjBUiZpdIfPay/8z5zzQU2I5C7wurdOGk986UdZXCr6RjYdwxoGN
> yjw3uVM01RMcv3+N7X+vXyHTloaeqVaOkd2yrp6RSFA4W2V1XQE/loitxctzHEZI
> k36MdLg2tRrHkBwqWdO56Fg9ogShQOK+aanq2nuou0hKNvoxkkH3QdiqL3O2JW8Z
> dWilQiiuCdDPeyDxqsrO0zP4K+df+puXgisAv5561P/A+nlJvtY1TmOSNQpF5ebn
> eecK94ZExoGCMJ+TgIY7KqZSKaq3FB4acxO+bbQHHvJFDaZZzr6D1uMmgUI7zr5l
> u0xFqSAwggRMKB9TMjV5wG+NetfjgmaNABhCiaCHpksm+R7MJjxSArUp1fH3xUja
> LpUWJuGZQM+gX/s7DzFMfBNxtjYP/uocMvx7gQFg+vd0hRrtcSM+RgTI35+2Gdm8
> 3xgE45j5fVSEcPOMYP6OYIR4vhL4X3aT6uZ6jntGTowErv8NLJw7LTxiCBmYx2Ij
> vmJLLoQrsf0w6L7gJ2bNv6W/+p34z026m3Nh7Ue7IoFgV0mAumewSEQhPbRhfYWE
> Hi0soVSMdqblYUs9+ICu06RbgJl1/p5B5uwUAJ8VmP6NPXiuf56qg4EHvOWkKMsL
> uegQYdnOICyak56ZJ93MPrgFUWrukYEtqQyu6I6HQLm1TNd+DbbUIVr4b45uZH7e
> iz7/ziGoaNoD08kddPfdksfcRLvHNtKrGditzs1Kr6SMFPwF4oU8BalOyqJmv2Fv
> BBaIAKxhNYE8Cmkpr3ZG9bjjZThYsqBm1lJOzSzIDirlcq6H2iUkWigQrJOlBcS/
> pTZA2gzG4Yxm5jMc45oKehj7CySwb2aoVPzF4ToFcUq1W4me/dH1gNPMppeM4k7w
> HvLgxZm1qKunDyftzTTE9Q8958/AwifYMkVgXdXaEMDuqtIukVu3GUdTphNBZMhx
> E9QDMwyw/tBzcc1BUJjYOE4yyQ7d7BiM9TbVJCDtQyOpJEuMw3APoNnJEEVwFZ70
> ok+qgQ35LtEWP8dR6cwGXSXnUblCnMjmEILNinCFRVDKPe2HqetHzAAQeMhdVT5T
> lA6tPW3CbnJB1notRn/DV1sDlehsyc70+2tLUPjfLADNf5aZzIkApB03aazWaei+
> 65GWEgURLLa+BamXMwjK6DW9xyNaWAuO20pkckMkly2Qs8kdQp96Ga5cp4dM4uTu
> H0+FNkrQxLJndpzSdAuHmYoVIRT2eVBTWJN8+D/sxMXY7ILNgAioX+WZejU2tLCy
> DiGBF++dPvhaGxNa7kRq9WMULj8ll8jMUM/1f7yeSk/Aajp+F5Q6PGhI6JeUooam
> Z1pcbAzK2yOyrnR5MRrpgOFGvtD3OSGngHjJZj3yGuTXkzKcEZgqSZ4n+bMhivtE
> nAIcnCzWvvzS+/2YNQVWR5C1KgGO4hNUUrvrRN1n2E6lx9xmDAgvV7Qj7qWFNFgx
> g7SC0D2Gx8Sgc4ViuhP3KHut/v3BU33phN94HUdMbNYJUuESVaD8xM9id5VSHFQS
> YrmRPnaFegzaMhE2awpGtWp3XD3giqWjWSNWRtFgVUbxX2kKxoIqMNyQDCtKaXX5
> bvDSslTKI4byMaoPbOcRG1i01AwokLid4ZT5YjoqI1333VqaW3cbcnjPFTXOzPW5
> B3R8u4FaarhLWCY/lxiifpXalHOYTLjucIUa5+3cJ0R+v9ak+2dsduFWj0yhdYPS
> Wg5UG/VYgDn7mCXvDvHc6a8VMzQQ4POYtym4ZOZBrOctRLbLsFFVPysmD2uaKm7O
> 3/6futlB7ASRqunaOcNSwRKDv1Rv3mz5KZD48wEZl/5sTONjjmCWQbshmV+Rd0XH
> 3u9433ODZ0/A6Lq8fE6T7P3ORLDMvEcPTMFCdTpuBy2KRoMXKFRlk/4FHeOUIM/S
> NoxhGFPpLpmMZAmIMPMEBiLGny8A3PWGYR0RED3Fo7IpnHB1aFFwNRtiuola0g4U
> ++gWf0P7CVU6lUCzkC3f
> =XzwD
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> sword-devel mailing list: sword-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/sword-devel
> Instructions to unsubscribe/change your settings at above page



-- 
Mark Trompell

Foresight Linux Xfce Edition
Cause your desktop should be freaking cool
(and Xfce)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix_curl_http_crash.patch
Type: application/octet-stream
Size: 2467 bytes
Desc: not available
URL: <http://www.crosswire.org/pipermail/sword-devel/attachments/20130701/bf02e363/attachment.obj>