[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: lynx-dev Some more security issues in Lynx...
|
From: |
Alan Cox |
|
Subject: |
Re: lynx-dev Some more security issues in Lynx... |
|
Date: |
Sat, 31 Oct 1998 00:50:42 +0000 (GMT) |
> It's a portability consideration (that's policy, I guess). Lynx runs on a
> number of platforms that don't have snprintf (Lynx has its own strcasecmp
> for instance ;-). The workarounds, of course, involve more work, but
> that's what we'll do (i.e., splice things together from StrAllocCopy and
> StrAllocCat when we don't know a precise limit).
Ok take a look at LYMap.c it uses StrAllocCopy etc religiously until
it gets into LYLoadIMGmap() which prints arbitary (as far as I can see)
length addresses into a 1K buffer.
Another suspicious area is all the local handling. The code appears to have
set its buffer sizes correctly before shell quoting was added. A worst case
shell quoting (size*5) seems to exceed buffers in several places
Alan