On 7/25/06, Reece Dunn <[EMAIL PROTECTED]> wrote:
Josiah Carlson wrote: > "Neil Hodgson" <[EMAIL PROTECTED]> wrote: > > > > Jeremy Evans: > > > > > In updating the Scintilla and SciTE ports to 1.70 for OpenBSD, I've > > > done a code audit and replaced the insecure string handling functions > > > (strcat, strcpy, sprintf) with the secure ones (strlcat, strlcpy, > > > snprintf, respectively). Hopefully these security fixes can be > > > applied to future versions of Scintilla and SciTE. > > > > I won't be incorporating patches that will not compile with the > > above compilers or with GCC 4.1. > > If the signatures are somewhat compatible, it would seem reasonable to > use compiler-specific macro definitions, or even wrapper functions whose > bodies are inlined. Or maybe I have no idea what I'm talking about.Inlined functions would be the best approach, considering that this is a C++ project :). One advantage of inlined functions is that you can deal with functions that have different signatures. They would most likely belong in the platform section as this is where the platform-specific code goes. You would then use the appropriate compiler defines to detect what the actual function names are. This could then allow variants like: * use the Windows versions (lstrcpy, etc.); * use the VC2005 safe versions (e.g. strncpy_s); * use the Windows "strsafe.h" versions; * use a roll your own implementation (useful for WinCE, where library support may be limited and vary depending on the platform).
For platforms that don't support secure string handling functions, you could always inline a replacement that just calls the insecure string function and drops the extra length argument. I think the changes are beneficial, even if they aren't exploitable. For example, the use of strcpy in LexRuby.cxx is probably not exploitable, as it appears to always copy from a 100 byte buffer to a 201 byte buffer. I didn't attempt to determine if any of the other uses of the the insecure functions are exploitable. I did find a bug in the ruby lexer, however (while attempting to determine whether the above strcpy was exploitable). Type 105 consecutive alphanumeric characters (start with an alphabetic character), and it crashes SciTE if the ruby lexer is used (try attached file). Jeremy
crash_ruby_lexer.rb
Description: Binary data
_______________________________________________ Scintilla-interest mailing list [email protected] http://mailman.lyra.org/mailman/listinfo/scintilla-interest
