bug-texinfo
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch for a segfault bug in 'info' reader


From: Karl Berry
Subject: Re: Patch for a segfault bug in 'info' reader
Date: Sat, 7 Aug 2004 18:15:53 -0400

    info then tries to add to your input '[No completion]' and overruns
    input_line

That's what I tried, and I can see that's what the code does, but it
doesn't crash for me.  Oh well.  Can you see if the appended patch fixes
it?  I also checked it in to CVS (on savannah.gnu.org).

    original report called this a 'severe security bug' :)

Yeah, well, people will call anything a security bug these days.  info
is hardly a privileged system program or anything that's likely to be
run from a root script, so I decline to get too excited about it.  I'm
sure there are tons of potential buffer overruns in makeinfo and info.

Thanks,
k

Index: echo-area.c
===================================================================
RCS file: /cvsroot/texinfo/texinfo/info/echo-area.c,v
retrieving revision 1.4
diff -c -r1.4 echo-area.c
*** echo-area.c 24 Jul 2004 18:12:38 -0000      1.4
--- echo-area.c 7 Aug 2004 21:57:41 -0000
***************
*** 1499,1511 ****
     for input or a couple of seconds, whichever comes first.  Then flush the
     informational message that was printed. */
  void
! inform_in_echo_area (char *message)
  {
!   register int i;
    char *text;
  
    text = xstrdup (message);
!   for (i = 0; text[i] && text[i] != '\n'; i++)
      ;
    text[i] = 0;
  
--- 1499,1512 ----
     for input or a couple of seconds, whichever comes first.  Then flush the
     informational message that was printed. */
  void
! inform_in_echo_area (const char *message)
  {
!   int i;
    char *text;
+   int avail = EA_MAX_INPUT + 1 - input_line_end;
  
    text = xstrdup (message);
!   for (i = 0; text[i] && text[i] != '\n' && i < avail; i++)
      ;
    text[i] = 0;
  
Index: echo-area.h
===================================================================
RCS file: /cvsroot/texinfo/texinfo/info/echo-area.h,v
retrieving revision 1.3
diff -c -r1.3 echo-area.h
*** echo-area.h 11 Apr 2004 17:56:45 -0000      1.3
--- echo-area.h 7 Aug 2004 21:57:41 -0000
***************
*** 33,39 ****
     killed some text. */
  extern int echo_area_last_command_was_kill;
  
! extern void inform_in_echo_area (char *message);
  extern void echo_area_inform_of_deleted_window (WINDOW *window);
  extern void echo_area_prep_read (void);
  extern VFunction *ea_last_executed_command;
--- 33,39 ----
     killed some text. */
  extern int echo_area_last_command_was_kill;
  
! extern void inform_in_echo_area (const char *message);
  extern void echo_area_inform_of_deleted_window (WINDOW *window);
  extern void echo_area_prep_read (void);
  extern VFunction *ea_last_executed_command;


[Roman's msg to me for the sake of the archive.]

Date: Sat, 7 Aug 2004 19:11:03 +0200
From: Roman Werpachowski <address@hidden>
To: address@hidden (Karl Berry)
Subject: Re: Patch for a segfault bug in 'info' reader

Dnia sobota, 7 sierpnia 2004 17:54, napisa³e¶:
>     -  sprintf (&input_line[input_line_end], "%s[%s]\n",
>     -           echo_area_is_active ? " ": "", text);
>     +  snprintf (&input_line[input_line_end], EA_MAX_INPUT + 1 -
> input_line_end, +                 "%s[%s]\n", echo_area_is_active ? " ":
> "", text);
>
> I see the problem, but is there a way to reproduce the problem, or was
> it found by pure inspection?  If I just type a ton of input, it doesn't
> crash.

To cause 'info' to crash, just:

$ info rm (or similar page with xrefs)

press 'f' ('Follow the xref' command)

and type around 225 chars, to fill the limit

and press 'Enter' or 'Tab' (you need to press 'Tab' twice)

info then tries to add to your input '[No completion]' and overruns input_line 
buffer.

>
>     The bug was pointed out on bugtraq by somebody else.
>
> I searched for echo-area.c at
> http://www.securityfocus.com/archive/1, but didn't find the original
> report.  Help?
>
> Thanks much for sending.
>
> k

Search for 'info', the original report didn't mention echo-area.c BTW, the 
original report called this a 'severe security bug' :)

-- 
/* Roman Werpachowski */

Ten e-mail zosta³ sprawdzony i
zaakceptowany przez fretkê Tintin.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]