Re: PATCH: possible out of bounds read in Unix Clipboard code

From: Dom Lachowicz <domlachowicz_at_yahoo.com>
Date: Sun Oct 02 2005 - 16:11:45 CEST

Hi Robert,

This is a good catch, but we can't use this particular
fix:

CONFORMING TO
       This function is a GNU extension.

Could you come up with another way to fix this
problem, or maybe implement a UT_strnlen() function?

Thanks,
Dom

--- Robert Wilhelm <robert.wilhelm@gmx.net> wrote:

>
> In ap_UnixApp.cpp we have following code which deals
> with
> not 0 terminated strings:
>
> iLen = UT_MIN(iLen,strlen(reinterpret_cast<const
> char *>(pData)));
>
> stlen can access data after the pData buffer.
>
> Fixed by using strnlen().
>
> Best regards,
>
> Robert
>
> RCS file:
> /cvsroot/abi/src/wp/ap/unix/ap_UnixApp.cpp,v
> retrieving revision 1.285
> diff -u -r1.285 ap_UnixApp.cpp
> --- ap_UnixApp.cpp 12 Sep 2005 20:45:27 -0000
> 1.285
> +++ ap_UnixApp.cpp 2 Oct 2005 08:50:24 -0000
> @@ -643,7 +643,7 @@
>
> if
> (AP_UnixClipboard::isRichTextTag(szFormatFound))
> {
> - iLen =
> UT_MIN(iLen,strlen(reinterpret_cast<const char
> *>(pData)));
> + iLen =
> strnlen(reinterpret_cast<const char
> *>(pData),iLen);
>
> IE_Imp_RTF * pImpRTF = new
> IE_Imp_RTF(pDocRange->m_pDoc);
> bSuccess =
> pImpRTF->pasteFromBuffer(pDocRange,pData,iLen);
> @@ -724,7 +724,7 @@
> }
> else // (
> AP_UnixClipboard::isTextTag(szFormatFound) )
> {
> - iLen =
> UT_MIN(iLen,strlen(reinterpret_cast<const char
> *>(pData)));
> + iLen =
> strnlen(reinterpret_cast<const char
> *>(pData),iLen);
>
> IE_Imp_Text * pImpText = new
> IE_Imp_Text(pDocRange->m_pDoc,"UTF-8");
> bSuccess =
> pImpText->pasteFromBuffer(pDocRange,pData,iLen);
> @@ -737,8 +737,8 @@
> if(!bSuccess &&
>
m_pClipboard->getTextData(tFrom,reinterpret_cast<const
> void
> **>(&pData),&iLen, &szFormatFound)) {
> UT_DEBUGMSG(("DOM: pasting text as
> an absolute fallback
> (bug 7666)\n"));
>
> - iLen =
> UT_MIN(iLen,strlen(reinterpret_cast<const char
> *>(pData)));
> -
> + iLen =
> strnlen(reinterpret_cast<const char
> *>(pData),iLen);
> +
> IE_Imp_Text * pImpText = new
> IE_Imp_Text(pDocRange->m_pDoc,"UTF-8");
> bSuccess =
> pImpText->pasteFromBuffer(pDocRange,pData,iLen);
> DELETEP(pImpText);
>
> --
> Robert Wilhelm <robert.wilhelm@gmx.net>
>
>

                
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
Received on Sun Oct 2 16:12:34 2005

This archive was generated by hypermail 2.1.8 : Sun Oct 02 2005 - 16:12:34 CEST