It's just to call up attention on Secunia advisory SA25245 on notepad++ http://secunia.com/advisories/25245/
As an excerpt: "The vulnerability is caused due to a boundary error within the SciLexer module (SciLexer.dll) when processing ruby source files (.rb). This can be exploited to cause a stack-based buffer overflow when a specially crafted file is opened." I tried up the exploit at http://milw0rm.com/exploits/3912 and indeed it crashes scintilla 173, but it did not worked - meaning it did not executed calc.exe that was the exploit's goal. It may be successful on its target, Windows XP SP2 English. I don't know as I used the Spanish version of XP SP2, and I've got no time to investigate it further. One way or another, I've taken a look into LexRuby.cxx and debugged it on Linux: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208231552 (LWP 6959)] 0x0806c27b in Accessor::operator[] (this=0xbffe7c78, position=157) at ../include/Accessor.h:38 38 Fill(position); (gdb) bt #0 0x0806c27b in Accessor::operator[] (this=0xbffe7c78, position=157) at ../include/Accessor.h:38 #1 0x080d16e8 in ClassifyWordRb (start=36, end=163, [EMAIL PROTECTED], [EMAIL PROTECTED], prevWord=0xbffe7ad7 "") at ../src/LexRuby.cxx:108 #2 0x78787878 in ?? () #3 0xbffe7c78 in ?? () #4 0xbffe7ad7 in ?? () #5 0xbffe7c28 in ?? () #6 0x080d2780 in ColouriseRbDoc (startPos=Cannot access memory at address 0x78787880 ) at ../src/LexRuby.cxx:1031 Previous frame inner to this frame (corrupt stack?) A quick look on LexRuby.cxx shows the culprit: ./scintilla/src/LexRuby.cxx:62: #define MAX_KEYWORD_LENGTH 200 ./scintilla/src/LexRuby.cxx:101: char s[100]; ^^^ unsigned int i, j; unsigned int lim = end - start + 1; // num chars to copy if (lim >= MAX_KEYWORD_LENGTH) { ^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^ lim = MAX_KEYWORD_LENGTH - 1; } -- It uses a 100 char array to store the keyword, and then uses MAX_KEYWORD_LENGTH to check its bounds. I suggest to change it to: char s[MAX_KEYWORD_LENGTH]; A fixed up version at: http://iagorubio.com/scintilla/LexRuby.cxx May be its worth to change MAX_KEYWORD_LENGTH from 200 to 100 if this lexer didn't used to segfault, as in most use cases a 100 char array seems to hold a Ruby keyword - If not, I think there should have been more bug reports on this issue. More on this: The Ruby specially crafted file resulting from running the exploit with no arguments (targeting WinXP SP2 English). http://iagorubio.com/scintilla/secunia_SA25245.rb Regards. -- Iago Rubio _______________________________________________ Scintilla-interest mailing list [email protected] http://mailman.lyra.org/mailman/listinfo/scintilla-interest
