Skip to content
Snippets Groups Projects
Select Git revision
  • dd_msg_reader_list_personal_email_in_reverse_choose_msg_fix
  • dailybuild_linux-x64
  • dailybuild_win32
  • master default protected
  • sqlite
  • rip_abstraction
  • dailybuild_macos-armv8
  • dd_file_lister_filanem_in_desc_color
  • mode7
  • dd_msg_reader_are_you_there_warning_improvement
  • c23-playing
  • syncterm-1.3
  • syncterm-1.2
  • test-build
  • hide_remote_connection_with_telgate
  • 638-can-t-control-c-during-a-file-search
  • add_body_to_pager_email
  • mingw32-build
  • cryptlib-3.4.7
  • ree/mastermind
  • sbbs320d
  • syncterm-1.6
  • syncterm-1.5
  • syncterm-1.4
  • sbbs320b
  • syncterm-1.3
  • syncterm-1.2
  • syncterm-1.2rc6
  • syncterm-1.2rc5
  • push
  • syncterm-1.2rc4
  • syncterm-1.2rc2
  • syncterm-1.2rc1
  • sbbs319b
  • sbbs318b
  • goodbuild_linux-x64_Sep-01-2020
  • goodbuild_win32_Sep-01-2020
  • goodbuild_linux-x64_Aug-31-2020
  • goodbuild_win32_Aug-31-2020
  • goodbuild_win32_Aug-30-2020
40 results

getstr.cpp

Blame
    • Rob Swindell's avatar
      131f9d7c
      Fix 20+ year old bug that allowed getstr(... K_WRAP) to overflow wordwrap buf · 131f9d7c
      Rob Swindell authored
      The sbbs_t::wordwrap[] buffer was 81 characters (80 printable characters, plus
      NUL terminator) and sbbs_t.getstr(), when used with the K_WRAP mode flag could
      potentially write more than 81 characters to this buffer (e.g. when using a
      wider than 80 column terminal and writing a message with the internal line
      editor which calls sbbs_t::getstr(... K_WRAP)) - would corrupt sbbs_t members
      after wordwrap[], which included pointers that would be freed in the sbbs_t
      destructor (~sbbs_t) and subsequently page/segfault as seen in issue #545.
      
      This change increases the wordwrap buffer to likely twice the same needed
      (maximum columns + NUL terminator) and adds wordwrap bounds checking to
      sbbs_t::getstr().
      
      There were comments indicating crash sightings in the sbsb_t destructor going
      back to 2002, so this commit removes those comments.
      
      Thanks to Nelgin for providing the gdb dump details ('print *this') that was
      the clue needed to reach the root-cause determination.
      
      This fixes issue #545.
      131f9d7c
      History
      Fix 20+ year old bug that allowed getstr(... K_WRAP) to overflow wordwrap buf
      Rob Swindell authored
      The sbbs_t::wordwrap[] buffer was 81 characters (80 printable characters, plus
      NUL terminator) and sbbs_t.getstr(), when used with the K_WRAP mode flag could
      potentially write more than 81 characters to this buffer (e.g. when using a
      wider than 80 column terminal and writing a message with the internal line
      editor which calls sbbs_t::getstr(... K_WRAP)) - would corrupt sbbs_t members
      after wordwrap[], which included pointers that would be freed in the sbbs_t
      destructor (~sbbs_t) and subsequently page/segfault as seen in issue #545.
      
      This change increases the wordwrap buffer to likely twice the same needed
      (maximum columns + NUL terminator) and adds wordwrap bounds checking to
      sbbs_t::getstr().
      
      There were comments indicating crash sightings in the sbsb_t destructor going
      back to 2002, so this commit removes those comments.
      
      Thanks to Nelgin for providing the gdb dump details ('print *this') that was
      the clue needed to reach the root-cause determination.
      
      This fixes issue #545.