[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
LYNX-DEV Lynx 2-7-1 Bug in forms handling code.
|
From: |
Rick Mallett |
|
Subject: |
LYNX-DEV Lynx 2-7-1 Bug in forms handling code. |
|
Date: |
Thu, 29 May 1997 16:33:04 -0400 (EDT) |
This bug relates to mishandling of very large value fields in the latest
version of lynx 2-7-1 plus fotemods.zip dated May 29,1997. The problem
was reported by one of our users who got a segment violation (signal 11)
when she attempted to use a form at
http://horses.product.com/wwwboard/wwwboard.html
a WWW based newsgroup which uses HTML forms for posting messages and/or
followups. To cut a long story short, it seems that if the default value
for a textarea forms entry is greater than 1024 characters there will be
a memory overrun on the last line of LYSetupEdit in LYStrings.c when the
function attempts to copy the long string into a 1024 byte buffer. The
statement in question is
strcpy(edit->buffer, old);
where old is the very long string (the default value of the textarea) and
edit->buffer is a 1024 byte buffer (typedef EditFieldData in LYStrings.h).
LYSetupEdit is actually passed the length of the buffer as its third
argument so it should be possible to replace the errant line by the
following
if (strlen(old) >= maxstr) {
strncpy(edit->buffer,old);
edit->buffer[maxstr] = '\0';
} else
strcpy(edit->buffer,old);
although there might be a more elegant way to handle the problem as in
malloc'ing the space for edit->buffer etc. If the string is truncated
as shown above I would think that a statusline message would be in
order.
----------------------------------------------------------------------
Rick Mallett
Carleton University
Email address: address@hidden
----------------------------------------------------------------------
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;
- LYNX-DEV Lynx 2-7-1 Bug in forms handling code.,
Rick Mallett <=