https://bz.apache.org/bugzilla/show_bug.cgi?id=61353
Bug ID: 61353
Summary: escape_sgml_chars doesn't allocate large enough buffer
Product: Rivet
Version: 2.2.3
Hardware: PC
OS: FreeBSD
Status: NEW
Severity: critical
Priority: P2
Component: Rivet Core Commands
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: mod_rivet
It's possible to perform a buffer overflow in escape_sgml_chars for very short
strings that contain mostly characters that require escaping because the
temporary buffer allocation is not large enough.
$ tclsh
% package require rivetlib
2.2.3
% puts [::rivet::escape_sgml_chars "&"]
alloc: invalid block: 0x80214f620: ef ef 3b
Abort trap (core dumped)
In Rivet_EscapeSgmlCharsCmd, the following buffer allocation is done, however
the worst case escapement will require 6 characters if the input string
consisted of entirely double-quote characters.
newString = (char *)Tcl_Alloc( (unsigned)origLength * 3 + 1 );
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
