Skip to content
Snippets Groups Projects
Select Git revision
  • dailybuild_linux-x64
  • dailybuild_win32
  • master default protected
  • sqlite
  • rip_abstraction
  • dailybuild_macos-armv8
  • dd_file_lister_filanem_in_desc_color
  • mode7
  • dd_msg_reader_are_you_there_warning_improvement
  • c23-playing
  • syncterm-1.3
  • syncterm-1.2
  • test-build
  • hide_remote_connection_with_telgate
  • 638-can-t-control-c-during-a-file-search
  • add_body_to_pager_email
  • mingw32-build
  • cryptlib-3.4.7
  • ree/mastermind
  • new_user_dat
  • sbbs320d
  • syncterm-1.6
  • syncterm-1.5
  • syncterm-1.4
  • sbbs320b
  • syncterm-1.3
  • syncterm-1.2
  • syncterm-1.2rc6
  • syncterm-1.2rc5
  • push
  • syncterm-1.2rc4
  • syncterm-1.2rc2
  • syncterm-1.2rc1
  • sbbs319b
  • sbbs318b
  • goodbuild_linux-x64_Sep-01-2020
  • goodbuild_win32_Sep-01-2020
  • goodbuild_linux-x64_Aug-31-2020
  • goodbuild_win32_Aug-31-2020
  • goodbuild_win32_Aug-30-2020
40 results

getstr.cpp

  • Rob Swindell's avatar
    131f9d7c
    Fix 20+ year old bug that allowed getstr(... K_WRAP) to overflow wordwrap buf · 131f9d7c
    Rob Swindell authored
    The sbbs_t::wordwrap[] buffer was 81 characters (80 printable characters, plus
    NUL terminator) and sbbs_t.getstr(), when used with the K_WRAP mode flag could
    potentially write more than 81 characters to this buffer (e.g. when using a
    wider than 80 column terminal and writing a message with the internal line
    editor which calls sbbs_t::getstr(... K_WRAP)) - would corrupt sbbs_t members
    after wordwrap[], which included pointers that would be freed in the sbbs_t
    destructor (~sbbs_t) and subsequently page/segfault as seen in issue #545.
    
    This change increases the wordwrap buffer to likely twice the same needed
    (maximum columns + NUL terminator) and adds wordwrap bounds checking to
    sbbs_t::getstr().
    
    There were comments indicating crash sightings in the sbsb_t destructor going
    back to 2002, so this commit removes those comments.
    
    Thanks to Nelgin for providing the gdb dump details ('print *this') that was
    the clue needed to reach the root-cause determination.
    
    This fixes issue #545.
    131f9d7c
    History
    Fix 20+ year old bug that allowed getstr(... K_WRAP) to overflow wordwrap buf
    Rob Swindell authored
    The sbbs_t::wordwrap[] buffer was 81 characters (80 printable characters, plus
    NUL terminator) and sbbs_t.getstr(), when used with the K_WRAP mode flag could
    potentially write more than 81 characters to this buffer (e.g. when using a
    wider than 80 column terminal and writing a message with the internal line
    editor which calls sbbs_t::getstr(... K_WRAP)) - would corrupt sbbs_t members
    after wordwrap[], which included pointers that would be freed in the sbbs_t
    destructor (~sbbs_t) and subsequently page/segfault as seen in issue #545.
    
    This change increases the wordwrap buffer to likely twice the same needed
    (maximum columns + NUL terminator) and adds wordwrap bounds checking to
    sbbs_t::getstr().
    
    There were comments indicating crash sightings in the sbsb_t destructor going
    back to 2002, so this commit removes those comments.
    
    Thanks to Nelgin for providing the gdb dump details ('print *this') that was
    the clue needed to reach the root-cause determination.
    
    This fixes issue #545.