[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Suspect buffer underrun in svn_path_uri_decode

From: Julian Foad <julianfoad_at_btopenworld.com>
Date: 2004-10-01 15:46:10 CEST

Reading old mail, I found this with no reply.

Klaus Rennecke wrote:
> Shall I file this in the issue tracker? I believe it's a severe memory
> corruption risk.

The snippet below only shows _reading_ from invalid memory, but this does then cause the output buffer to overflow, so it is bad.

So, yes, please file this in the issue tracker unless someone offers to fix it immediately.

- Julian

> Klaus Rennecke wrote:
>
>> [...libsvn_subr/path.c@r10135 line 850...]
(it's now around line 1000)
>> for (i = 0; path[i]; i++)
>> {
>> char c = path[i];
>> [...snip...]
>> else if (c == '%')
>> {
>> char digitz[3];
>> digitz[0] = path[++i];
>> digitz[1] = path[++i];
>> digitz[2] = '\0';|
>> [...]
>>
>> So, where will this end up with an input of "http://c.r.a/s%" ?
>> Granted, it's not really a valid URL, but that's no reason to plow
>> through the heap, is it? :-)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Oct 1 15:47:31 2004

This is an archived mail posted to the Subversion Dev mailing list.