[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Fix buffer overflow from expanding long keyword values

From: Ken Case <kc_at_omnigroup.com>
Date: 2005-11-01 21:17:49 CET

We just fixed a buffer overflow which we encountered when expanding
long keyword values: the code in translate_keyword_subst tries to
truncate the keyword values to fit within the fixed-size buffer which
was passed to it, but it doesn't take into account the amount of
space used by the keyword itself.

I'm including a patch, as well as a simple test script which
demonstrates the problem and which can also be used to verify that
the patch fixes the issue. The test script creates a repository in /
tmp/SubversionBufferOverflowTest, creates a long path, commits a new
file which contains a URL keyword, then "svn cat"s that file back
out. Without the patch, the output can be corrupt or the client can
crash. With the patch, the keyword is truncated as that code intended.

(This points out a need for SVN_KEYWORD_MAX_LEN to grow accommodate
the maximum possible length of a Subversion URL--which is much longer
than its current value of 256--but that's a separate issue.)



Fix buffer overflow encountered when expanding a long keyword value.

* subversion/libsvn_subr/subst.c
   (translate_keyword_subst): When calculating the maximum length of
an expanded keyword value, we need to take into account the amount of
space used by the keyword itself or we will overflow our fixed-length
buffer (passed in via our `buf' parameter, declared on the stack in
svn_subst_translate_stream3() as "char keyword_buf


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Tue Nov 1 23:38:05 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.