--- lynx2-8-4/WWW/Library/Implementation/HTMIME.c.CAN-2005-3120 2001-07-08 02:30:13.000000000 +0100 +++ lynx2-8-4/WWW/Library/Implementation/HTMIME.c 2005-10-10 13:41:54.000000000 +0100 @@ -1967,27 +1967,24 @@ ** ** Written by S. Ichikawa, ** partially inspired by encdec.c of . -** Assume caller's buffer is LINE_LENGTH bytes, these decode to -** no longer than the input strings. +** Caller's buffers decode to no longer than the input strings. */ -#define LINE_LENGTH 512 /* Maximum length of line of ARTICLE etc */ -#ifdef ESC -#undef ESC -#endif /* ESC */ #include /* S/390 -- gil -- 0163 */ -#define ESC CH_ESC PRIVATE char HTmm64[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" ; PRIVATE char HTmmquote[] = "0123456789ABCDEF"; PRIVATE int HTmmcont = 0; -PUBLIC void HTmmdec_base64 ARGS2( - char *, t, +static void HTmmdec_base64 ARGS2( + char **, t, char *, s) { int d, count, j, val; - char buf[LINE_LENGTH], *bp, nw[4], *p; + char *buf, *bp, nw[4], *p; + + if ((buf = malloc(strlen(s) * 3 + 1)) == 0) + outofmem(__FILE__, "HTmmdec_base64"); for (bp = buf; *s; s += 4) { val = 0; @@ -2018,14 +2015,18 @@ *bp++ = nw[2]; } *bp = '\0'; - strcpy(t, buf); + StrAllocCopy(*t, buf); + FREE(buf); } -PUBLIC void HTmmdec_quote ARGS2( - char *, t, +static void HTmmdec_quote ARGS2( + char **, t, char *, s) { - char buf[LINE_LENGTH], cval, *bp, *p; + char *buf, cval, *bp, *p; + + if ((buf = malloc(strlen(s) + 1)) == 0) + outofmem(__FILE__, "HTmmdec_quote"); for (bp = buf; *s; ) { if (*s == '=') { @@ -2052,23 +2053,27 @@ } } *bp = '\0'; - strcpy(t, buf); + StrAllocCopy(*t, buf); + FREE(buf); } /* ** HTmmdecode for ISO-2022-JP - FM */ PUBLIC void HTmmdecode ARGS2( - char *, trg, - char *, str) + char **, target, + char *, source) { - char buf[LINE_LENGTH], mmbuf[LINE_LENGTH]; + char *buf; + char *mmbuf = NULL; + char *m2buf = NULL; char *s, *t, *u; int base64, quote; - buf[0] = '\0'; + if ((buf = malloc(strlen(source) + 1)) == 0) + outofmem(__FILE__, "HTmmdecode"); - for (s = str, u = buf; *s; ) { + for (s = source, u = buf; *s; ) { if (!strncasecomp(s, "=?ISO-2022-JP?B?", 16)) { base64 = 1; } else { @@ -2082,15 +2087,18 @@ if (base64 || quote) { if (HTmmcont) { for (t = s - 1; - t >= str && (*t == ' ' || *t == '\t'); t--) { + t >= source && (*t == ' ' || *t == '\t'); t--) { u--; } } + if (mmbuf == 0) /* allocate buffer big enough for source */ + StrAllocCopy(mmbuf, source); for (s += 16, t = mmbuf; *s; ) { if (s[0] == '?' && s[1] == '=') { break; } else { *t++ = *s++; + *t = '\0'; } } if (s[0] != '?' || s[1] != '=') { @@ -2100,14 +2108,12 @@ *t = '\0'; } if (base64) - HTmmdec_base64(mmbuf, mmbuf); + HTmmdec_base64(&m2buf, mmbuf); if (quote) - HTmmdec_quote(mmbuf, mmbuf); - for (t = mmbuf; *t; ) + HTmmdec_quote(&m2buf, mmbuf); + for (t = m2buf; *t; ) *u++ = *t++; HTmmcont = 1; - /* if (*s == ' ' || *s == '\t') *u++ = *s; */ - /* for ( ; *s == ' ' || *s == '\t'; s++) ; */ } else { if (*s != ' ' && *s != '\t') HTmmcont = 0; @@ -2116,7 +2122,10 @@ } *u = '\0'; end: - strcpy(trg, buf); + StrAllocCopy(*target, buf); + FREE(m2buf); + FREE(mmbuf); + FREE(buf); } /* @@ -2124,22 +2133,27 @@ ** (The author of this function "rjis" is S. Ichikawa.) */ PUBLIC int HTrjis ARGS2( - char *, t, + char **, t, char *, s) { - char *p, buf[LINE_LENGTH]; + char *p; + char *buf = NULL; int kanji = 0; - if (strchr(s, ESC) || !strchr(s, '$')) { - if (s != t) - strcpy(t, s); + if (strchr(s, CH_ESC) || !strchr(s, '$')) { + if (s != *t) + StrAllocCopy(*t, s); return 1; } + + if ((buf = malloc(strlen(s) * 2 + 1)) == 0) + outofmem(__FILE__, "HTrjis"); + for (p = buf; *s; ) { if (!kanji && s[0] == '$' && (s[1] == '@' || s[1] == 'B')) { if (HTmaybekanji((int)s[2], (int)s[3])) { kanji = 1; - *p++ = ESC; + *p++ = CH_ESC; *p++ = *s++; *p++ = *s++; *p++ = *s++; @@ -2151,7 +2165,7 @@ } if (kanji && s[0] == '(' && (s[1] == 'J' || s[1] == 'B')) { kanji = 0; - *p++ = ESC; + *p++ = CH_ESC; *p++ = *s++; *p++ = *s++; continue; @@ -2160,7 +2174,8 @@ } *p = *s; /* terminate string */ - strcpy(t, buf); + StrAllocCopy(*t, buf); + FREE(buf); return 0; } --- lynx2-8-4/WWW/Library/Implementation/HTMIME.h.CAN-2005-3120 1999-12-15 11:03:18.000000000 +0000 +++ lynx2-8-4/WWW/Library/Implementation/HTMIME.h 2005-10-10 13:41:54.000000000 +0100 @@ -67,21 +67,13 @@ For handling Japanese headers. */ -extern void HTmmdec_base64 PARAMS(( - char * t, - char * s)); - -extern void HTmmdec_quote PARAMS(( - char * t, - char * s)); - extern void HTmmdecode PARAMS(( - char * trg, - char * str)); + char **target, + char *source)); extern int HTrjis PARAMS(( - char * t, - char * s)); + char **target, + char *source)); extern int HTmaybekanji PARAMS(( int c1, --- lynx2-8-4/WWW/Library/Implementation/HTNews.c.CAN-2005-3120 2001-06-03 20:58:00.000000000 +0100 +++ lynx2-8-4/WWW/Library/Implementation/HTNews.c 2005-10-10 13:41:54.000000000 +0100 @@ -940,7 +940,6 @@ } } -#ifdef SH_EX /* for MIME */ #define NEWS_DEBUG 0 #if NEWS_DEBUG /* for DEBUG 1997/11/07 (Fri) 17:20:16 */ @@ -963,44 +962,18 @@ } #endif -static char *decode_mime(char *str) +static char *decode_mime(char **str) { char temp[LINE_LENGTH]; /* FIXME: what determines the actual size? */ char *p, *q; - if (str == NULL) - return ""; - +#ifdef SH_EX if (HTCJK != JAPANESE) - return str; - - LYstrncpy(temp, str, sizeof(temp) - 1); - q = temp; - while ((p = strchr(q, '=')) != 0) { - if (p[1] == '?') { - HTmmdecode(p, p); - q = p + 2; - } else { - q = p + 1; - } - } -#if NEWS_DEBUG - printf("new=["); - debug_print(temp); + return *str; #endif - HTrjis(temp, temp); - strcpy(str, temp); - - return str; + HTmmdecode(str, *str); + return HTrjis(str, *str) ? *str : ""; } -#else /* !SH_EX */ -static char *decode_mime ARGS1(char *, str) -{ - HTmmdecode(str, str); - HTrjis(str, str); - return str; -} -#endif /* Read in an Article read_article @@ -1088,22 +1061,22 @@ } else if (match(full_line, "SUBJECT:")) { StrAllocCopy(subject, HTStrip(strchr(full_line,':')+1)); - decode_mime(subject); + decode_mime(&subject); } else if (match(full_line, "DATE:")) { StrAllocCopy(date, HTStrip(strchr(full_line,':')+1)); } else if (match(full_line, "ORGANIZATION:")) { StrAllocCopy(organization, HTStrip(strchr(full_line,':')+1)); - decode_mime(organization); + decode_mime(&organization); } else if (match(full_line, "FROM:")) { StrAllocCopy(from, HTStrip(strchr(full_line,':')+1)); - decode_mime(from); + decode_mime(&from); } else if (match(full_line, "REPLY-TO:")) { StrAllocCopy(replyto, HTStrip(strchr(full_line,':')+1)); - decode_mime(replyto); + decode_mime(&replyto); } else if (match(full_line, "NEWSGROUPS:")) { StrAllocCopy(newsgroups, HTStrip(strchr(full_line,':')+1)); @@ -1712,8 +1685,8 @@ int, last_required) { char line[LINE_LENGTH+1]; - char author[LINE_LENGTH+1]; - char subject[LINE_LENGTH+1]; + char *author = NULL; + char *subject = NULL; char *date = NULL; int i; char *p; @@ -1726,7 +1699,6 @@ int status, count, first, last; /* Response fields */ /* count is only an upper limit */ - author[0] = '\0'; START(HTML_HEAD); PUTC('\n'); START(HTML_TITLE); @@ -1947,8 +1919,8 @@ case 'S': case 's': if (match(line, "SUBJECT:")) { - LYstrncpy(subject, line+9, sizeof(subject)-1);/* Save subject */ - decode_mime(subject); + StrAllocCopy(subject, line + 9); + decode_mime(&subject); } break; @@ -1965,10 +1937,8 @@ case 'F': if (match(line, "FROM:")) { char * p2; - LYstrncpy(author, - author_name(strchr(line,':')+1), - sizeof(author)-1); - decode_mime(author); + StrAllocCopy(author, strchr(line, ':') + 1); + decode_mime(&author); p2 = author + strlen(author) - 1; if (*p2==LF) *p2 = '\0'; /* Chop off newline */ @@ -1989,11 +1959,8 @@ PUTC('\n'); START(HTML_LI); -#ifdef SH_EX /* for MIME */ - HTSprintf0(&temp, "\"%s\"", decode_mime(subject)); -#else - HTSprintf0(&temp, "\"%s\"", subject); -#endif + p = decode_mime(&subject); + HTSprintf0(&temp, "\"%s\"", NonNull(p)); if (reference) { write_anchor(temp, reference); FREE(reference); @@ -2002,18 +1969,14 @@ } FREE(temp); - if (author[0] != '\0') { + if (author != NULL) { PUTS(" - "); if (LYListNewsDates) START(HTML_I); -#ifdef SH_EX /* for MIME */ - PUTS(decode_mime(author)); -#else - PUTS(author); -#endif + PUTS(decode_mime(&author)); if (LYListNewsDates) END(HTML_I); - author[0] = '\0'; + FREE(author); } if (date) { if (!diagnostic) { @@ -2056,6 +2019,8 @@ MAYBE_END(HTML_LI); } /* Handle response to HEAD request */ } /* Loop over article */ + FREE(author); + FREE(subject); } /* If read headers */ PUTC('\n'); if (LYListNewsNumbers) --- lynx2-8-4/WWW/Library/Implementation/HTUtils.h.CAN-2005-3120 2001-07-08 02:30:13.000000000 +0100 +++ lynx2-8-4/WWW/Library/Implementation/HTUtils.h 2005-10-10 13:41:54.000000000 +0100 @@ -311,6 +311,7 @@ #define NULL ((void *)0) #endif +#define NonNull(s) (((s) != 0) ? s : "") #define NONNULL(s) (((s) != 0) ? s : "(null)") /* array/table size */ --- lynx2-8-4/CHANGES.CAN-2005-3120 2005-10-10 13:41:54.000000000 +0100 +++ lynx2-8-4/CHANGES 2005-10-10 13:41:54.000000000 +0100 @@ -1,5 +1,7 @@ Changes since Lynx 2.8 release =============================================================================== +* eliminate fixed-size buffers in HTrjis() and related functions to avoid + potential buffer overflow in nntp pages (report by Ulf Harnhammar) -TD 2001-07-17 (2.8.4rel.1) extracted from 2002-08-14 (2.8.5dev.9)