[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: out of bounds array access
From: |
Thomas Dickey |
Subject: |
Re: out of bounds array access |
Date: |
Sat, 25 Oct 2003 19:44:08 -0400 (EDT) |
On Sat, 25 Oct 2003, Todd C. Miller wrote:
> _nc_infotocap() can access memory outside the bounds of str.
> Found by David Krause using some of the new malloc debugging features
> under OpenBSD; a fix by Ted Unangst follows. I don't think this
> has security implications but should still be fixed.
thanks
>
> - todd
>
> --- ncurses/tinfo/captoinfo.c.DIST Sat Sep 28 10:38:59 2002
> +++ ncurses/tinfo/captoinfo.c Sat Oct 25 17:03:07 2003
> @@ -649,11 +649,11 @@
>
> /* we may have to move some trailing mandatory padding up front */
> padding = str + strlen(str) - 1;
> - if (*padding == '>' && *--padding == '/') {
> + if (padding > str && *padding == '>' && *--padding == '/') {
> --padding;
> while (isdigit(UChar(*padding)) || *padding == '.' || *padding == '*')
> padding--;
> - if (*padding == '<' && *--padding == '$')
> + if (padding > str && *padding == '<' && *--padding == '$')
> trimmed = padding;
> padding += 2;
>
>
>
> _______________________________________________
> Bug-ncurses mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/bug-ncurses
>
--
Thomas E. Dickey
http://invisible-island.net
ftp://invisible-island.net