-
Rob Swindell authoredReplace the suspicious strcpy/strcat's in msgeditor(), the built-in line editor, with bounds-enforced snprintf() calls. Also, properly define MAX_LINE_LEN to account for the trailing \r\n on each line. It appears we've been under allocating the total possible message buffer size (by 2 bytes per line) for a while now. These 2 changes together should fix issue #547: apparent heap corruption due to 'buf' overflow in msgeditor(). Also added a line count check/cap-enforcement with logged error message if exceeded (should never happen). Also fixed in this commit: off-by-one when enforcing max message length in msgeditor(). Also added checks that the 'cols' (used in MAX_LINE_LEN) are reasonable values (40+), 2 was below the threshold of what would be expected to work since there is logic that deducts 4 from cols, for example.
Rob Swindell authoredReplace the suspicious strcpy/strcat's in msgeditor(), the built-in line editor, with bounds-enforced snprintf() calls. Also, properly define MAX_LINE_LEN to account for the trailing \r\n on each line. It appears we've been under allocating the total possible message buffer size (by 2 bytes per line) for a while now. These 2 changes together should fix issue #547: apparent heap corruption due to 'buf' overflow in msgeditor(). Also added a line count check/cap-enforcement with logged error message if exceeded (should never happen). Also fixed in this commit: off-by-one when enforcing max message length in msgeditor(). Also added checks that the 'cols' (used in MAX_LINE_LEN) are reasonable values (40+), 2 was below the threshold of what would be expected to work since there is logic that deducts 4 from cols, for example.
Loading