Re: PATCH: possible out of bounds read in Unix Clipboard code

size_t UT_strnlen(const char *s, size_t maxlen)
{
#ifdef HAVE_STRNLEN
  return strnlen(s, maxlen);
#else
  size_t i;
  const char *p;

  if(!s)
    return 0;

  for(i = 0, p = s; (*p) && (i < maxlen); i++, p++)
    ;

  return i;
#endif
}

--- Dom Lachowicz <domlachowicz@yahoo.com> wrote:

>
> Hi Robert,
>
> This is a good catch, but we can't use this
> particular
> fix:
>
> CONFORMING TO
> This function is a GNU extension.
>
> Could you come up with another way to fix this
> problem, or maybe implement a UT_strnlen() function?
>
> Thanks,
> Dom
>
> --- Robert Wilhelm <robert.wilhelm@gmx.net> wrote:
>
> >
> > In ap_UnixApp.cpp we have following code which
> deals
> > with
> > not 0 terminated strings:
> >
> > iLen = UT_MIN(iLen,strlen(reinterpret_cast<const
> > char *>(pData)));
> >
> > stlen can access data after the pData buffer.
> >
> > Fixed by using strnlen().
> >
> > Best regards,
> >
> > Robert
> >
> > RCS file:
> > /cvsroot/abi/src/wp/ap/unix/ap_UnixApp.cpp,v
> > retrieving revision 1.285
> > diff -u -r1.285 ap_UnixApp.cpp
> > --- ap_UnixApp.cpp 12 Sep 2005 20:45:27 -0000
>
> > 1.285
> > +++ ap_UnixApp.cpp 2 Oct 2005 08:50:24 -0000
> > @@ -643,7 +643,7 @@
> >
> > if
> > (AP_UnixClipboard::isRichTextTag(szFormatFound))
> > {
> > - iLen =
> > UT_MIN(iLen,strlen(reinterpret_cast<const char
> > *>(pData)));
> > + iLen =
> > strnlen(reinterpret_cast<const char
> > *>(pData),iLen);
> >
> > IE_Imp_RTF * pImpRTF = new
> > IE_Imp_RTF(pDocRange->m_pDoc);
> > bSuccess =
> > pImpRTF->pasteFromBuffer(pDocRange,pData,iLen);
> > @@ -724,7 +724,7 @@
> > }
> > else // (
> > AP_UnixClipboard::isTextTag(szFormatFound) )
> > {
> > - iLen =
> > UT_MIN(iLen,strlen(reinterpret_cast<const char
> > *>(pData)));
> > + iLen =
> > strnlen(reinterpret_cast<const char
> > *>(pData),iLen);
> >
> > IE_Imp_Text * pImpText = new
> > IE_Imp_Text(pDocRange->m_pDoc,"UTF-8");
> > bSuccess =
> > pImpText->pasteFromBuffer(pDocRange,pData,iLen);
> > @@ -737,8 +737,8 @@
> > if(!bSuccess &&
> >
>
m_pClipboard->getTextData(tFrom,reinterpret_cast<const
> > void
> > **>(&pData),&iLen, &szFormatFound)) {
> > UT_DEBUGMSG(("DOM: pasting text as
> > an absolute fallback
> > (bug 7666)\n"));
> >
> > - iLen =
> > UT_MIN(iLen,strlen(reinterpret_cast<const char
> > *>(pData)));
> > -
> > + iLen =
> > strnlen(reinterpret_cast<const char
> > *>(pData),iLen);
> > +
> > IE_Imp_Text * pImpText = new
> > IE_Imp_Text(pDocRange->m_pDoc,"UTF-8");
> > bSuccess =
> > pImpText->pasteFromBuffer(pDocRange,pData,iLen);
> > DELETEP(pImpText);
> >
> > --
> > Robert Wilhelm <robert.wilhelm@gmx.net>
> >
> >
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
>

                
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
Received on Sun Oct 2 18:05:09 2005