-
Rob Swindell authoredThe sbbs_t::wordwrap[] buffer was 81 characters (80 printable characters, plus NUL terminator) and sbbs_t.getstr(), when used with the K_WRAP mode flag could potentially write more than 81 characters to this buffer (e.g. when using a wider than 80 column terminal and writing a message with the internal line editor which calls sbbs_t::getstr(... K_WRAP)) - would corrupt sbbs_t members after wordwrap[], which included pointers that would be freed in the sbbs_t destructor (~sbbs_t) and subsequently page/segfault as seen in issue #545. This change increases the wordwrap buffer to likely twice the same needed (maximum columns + NUL terminator) and adds wordwrap bounds checking to sbbs_t::getstr(). There were comments indicating crash sightings in the sbsb_t destructor going back to 2002, so this commit removes those comments. Thanks to Nelgin for providing the gdb dump details ('print *this') that was the clue needed to reach the root-cause determination. This fixes issue #545.
131f9d7cRob Swindell authoredThe sbbs_t::wordwrap[] buffer was 81 characters (80 printable characters, plus NUL terminator) and sbbs_t.getstr(), when used with the K_WRAP mode flag could potentially write more than 81 characters to this buffer (e.g. when using a wider than 80 column terminal and writing a message with the internal line editor which calls sbbs_t::getstr(... K_WRAP)) - would corrupt sbbs_t members after wordwrap[], which included pointers that would be freed in the sbbs_t destructor (~sbbs_t) and subsequently page/segfault as seen in issue #545. This change increases the wordwrap buffer to likely twice the same needed (maximum columns + NUL terminator) and adds wordwrap bounds checking to sbbs_t::getstr(). There were comments indicating crash sightings in the sbsb_t destructor going back to 2002, so this commit removes those comments. Thanks to Nelgin for providing the gdb dump details ('print *this') that was the clue needed to reach the root-cause determination. This fixes issue #545.
Loading