Skip to content
Snippets Groups Projects
Commit 63406890 authored by Rob Swindell's avatar Rob Swindell :speech_balloon:
Browse files

Fix 20+ year old bug that allowed getstr(... K_WRAP) to overflow wordwrap buf

The sbbs_t::wordwrap[] buffer was 81 characters (80 printable characters, plus
NUL terminator) and sbbs_t.getstr(), when used with the K_WRAP mode flag could
potentially write more than 81 characters to this buffer (e.g. when using a
wider than 80 column terminal and writing a message with the internal line
editor which calls sbbs_t::getstr(... K_WRAP)) - would corrupt sbbs_t members
after wordwrap[], which included pointers that would be freed in the sbbs_t
destructor (~sbbs_t) and subsequently page/segfault as seen in issue #545.

This change increases the wordwrap buffer to likely twice the same needed
(maximum columns + NUL terminator) and adds wordwrap bounds checking to
sbbs_t::getstr().

There were comments indicating crash sightings in the sbsb_t destructor going
back to 2002, so this commit removes those comments.

Thanks to Nelgin for providing the gdb dump details ('print *this') that was
the clue needed to reach the root-cause determination.

This fixes issue #545.
parent 3f900491
No related branches found
No related tags found
No related merge requests found
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment