[PATCH] Re: New bug added to README

[Igor Pechtchanski <pechtcha at cs dot nyu dot edu>]

Resending with a better subject this time.  Oh, and "ping".
	Igor

---------- Forwarded message ----------
Date: Thu, 17 Apr 2003 10:08:16 -0400 (EDT)
From: Igor Pechtchanski <pechtcha at cs dot nyu dot edu>
Reply-To: cygwin-apps at cygwin dot com
To: Max Bowsher <maxb at ukf dot net>
Cc: cygwin-apps at cygwin dot com
Subject: Re: New bug added to README

On Thu, 17 Apr 2003, Max Bowsher wrote:

> maxb wrote:
> > CVSROOT: /cvs/cygwin-apps
> > Module name: setup
> > Changes by: maxb 2003-04-17 08:41:41
> >
> > Log message:
> > New bug in TODO:
> >
> > * Audit rfc1738 code for bad memory/string handling. Example: Crash occurs
> > if rfc1738 encoded dirname is truncated in the middle of a %xx sequence.
>
> Suggesting this be considered for Release Blocker status.
> Max.

Yup, there's a bug all-right:

rfc1738.cc, in rfc1738_unescape() [line 201]:
   for (i = j = 0; s[j]; i++, j++)
     {
       s[i] = s[j];
       if (s[i] != '%')
         continue;
       if (s[j + 1] == '%')
         {                       /* %% case */
           j++;
           continue;
         }
>      if (s[j + 1] && s[j + 2])

It will crash in the line above, since it overruns the buffer (by 2).  I'm
attaching a patch.  Perhaps the squid people should also be notified.
        Igor
==============================================================================
ChangeLog:
2003-04-17  Igor Pechtchanski  <pechtcha at cs dot nyu dot edu>

	* rfc1738.cc (rfc1738_unescape): Handle incomplete escape.

-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha at cs dot nyu dot edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor at watson dot ibm dot com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

Knowledge is an unending adventure at the edge of uncertainty.
  -- Leto II

Attachment: setup-rfc1738-fix.patch
Description: Text document