Re: Suspect buffer underrun in svn_path_uri_decode

From: Julian Foad <julianfoad_at_btopenworld.com>
Date: 2004-10-01 15:46:10 CEST

Reading old mail, I found this with no reply.

Klaus Rennecke wrote:
> Shall I file this in the issue tracker? I believe it's a severe memory
> corruption risk.

The snippet below only shows _reading_ from invalid memory, but this does then cause the output buffer to overflow, so it is bad.

So, yes, please file this in the issue tracker unless someone offers to fix it immediately.

- Julian

> Klaus Rennecke wrote:
>
>> [...libsvn_subr/path.c@r10135 line 850...]
(it's now around line 1000)
>> for (i = 0; path[i]; i++)
>> {
>> char c = path[i];
>> [...snip...]
>> else if (c == '%')
>> {
>> char digitz[3];
>> digitz[0] = path[++i];
>> digitz[1] = path[++i];
>> digitz[2] = '\0';|
>> [...]
>>
>> So, where will this end up with an input of "http://c.r.a/s%" ?
>> Granted, it's not really a valid URL, but that's no reason to plow
>> through the heap, is it? :-)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Oct 1 15:47:31 2004

This message: [ Message body ]
Next message: Julian Foad: "Re: [FEAT. REQ] Aggregate working copy ?"
Previous message: Julian Foad: "Re: Issue #1586: Cancellation during gethostbyname() and connect()"
Next in thread: Peter N. Lundblad: "Re: Suspect buffer underrun in svn_path_uri_decode"
Reply: Peter N. Lundblad: "Re: Suspect buffer underrun in svn_path_uri_decode"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]