On 7/25/06, Reece Dunn <[EMAIL PROTECTED]> wrote:
Josiah Carlson wrote:
> "Neil Hodgson" <[EMAIL PROTECTED]> wrote:
> >
> > Jeremy Evans:
> >
> > > In updating the Scintilla and SciTE ports to 1.70 for OpenBSD, I've
> > > done a code audit and replaced the insecure string handling functions
> > > (strcat, strcpy, sprintf) with the secure ones (strlcat, strlcpy,
> > > snprintf, respectively). Hopefully these security fixes can be
> > > applied to future versions of Scintilla and SciTE.
> >
> > I won't be incorporating patches that will not compile with the
> > above compilers or with GCC 4.1.
>
> If the signatures are somewhat compatible, it would seem reasonable to
> use compiler-specific macro definitions, or even wrapper functions whose
> bodies are inlined. Or maybe I have no idea what I'm talking about.
Inlined functions would be the best approach, considering that this is a C++
project :). One advantage of inlined functions is that you can deal with
functions that have different signatures.
They would most likely belong in the platform section as this is where the
platform-specific code goes. You would then use the appropriate compiler
defines to detect what the actual function names are.
This could then allow variants like:
* use the Windows versions (lstrcpy, etc.);
* use the VC2005 safe versions (e.g. strncpy_s);
* use the Windows "strsafe.h" versions;
* use a roll your own implementation (useful for WinCE, where
library support may be limited and vary depending on the platform).
For platforms that don't support secure string handling functions, you
could always inline a replacement that calls the insecure string
function and drops the extra length argument.
I think the changes are beneficial, even if they aren't exploitable.
For example, the use of strcpy in LexRuby.cxx is probably not
exploitable, as it appears to always copy from a 100 byte buffer to a
201 byte buffer. I didn't attempt to determine if any of the other
uses of the the insecure functions are exploitable.
I did find a bug in the ruby lexer, however (while attempting to
determine whether the above strcpy was exploitable). Type 104
consecutive alphanumeric characters (start with an alphabetic
character), and it crashes SciTE if the ruby lexer is used (tested on
Windows .
Apologies if this is sent twice, the first time I got a message that
it was blocked for moderator approval due to an attached proof of
concept for the ruby lexer bug.
Jeremy
_______________________________________________
Scintilla-interest mailing list
[email protected]
http://mailman.lyra.org/mailman/listinfo/scintilla-interest
