rpms/lynx/F-13 lynx-2.8.7-alloca.patch,NONE,1.1 lynx.spec,1.63,1.64

Kamil Dudka kdudka at fedoraproject.org
Wed Jul 7 14:36:49 UTC 2010


Author: kdudka

Update of /cvs/extras/rpms/lynx/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv9253

Modified Files:
	lynx.spec 
Added Files:
	lynx-2.8.7-alloca.patch 
Log Message:
- upstream patch that limits length of parsed URIs (#605286)

lynx-2.8.7-alloca.patch:
 WWW/Library/Implementation/HTParse.c |   47 +++++++++++++++++++++++------------
 src/LYGlobalDefs.h                   |    1 
 src/LYMain.c                         |    1 
 3 files changed, 34 insertions(+), 15 deletions(-)

--- NEW FILE lynx-2.8.7-alloca.patch ---
 WWW/Library/Implementation/HTParse.c |   47 +++++++++++++++++++++++-----------
 src/LYGlobalDefs.h                   |    1 +
 src/LYMain.c                         |    1 +
 3 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/WWW/Library/Implementation/HTParse.c b/WWW/Library/Implementation/HTParse.c
index c9bfbbf..b265e22 100644
--- a/WWW/Library/Implementation/HTParse.c
+++ b/WWW/Library/Implementation/HTParse.c
@@ -12,6 +12,7 @@
 #include <LYLeaks.h>
 #include <LYStrings.h>
 #include <LYCharUtils.h>
+#include <LYGlobalDefs.h>
 
 #ifdef HAVE_ALLOCA_H
 #include <alloca.h>
@@ -255,7 +256,8 @@ char *HTParse(const char *aName,
     char *result = NULL;
     char *tail = NULL;		/* a pointer to the end of the 'result' string */
     char *return_value = NULL;
-    unsigned len, len1, len2;
+    size_t len, len1, len2;
+    size_t need;
     char *name = NULL;
     char *rel = NULL;
     char *p, *q;
@@ -290,9 +292,17 @@ char *HTParse(const char *aName,
     len2 = strlen(relatedName) + 1;
     len = len1 + len2 + 8;	/* Lots of space: more than enough */
 
-    result = tail = (char *) LYalloca(len * 2 + len1 + len2);
+    need = (len * 2 + len1 + len2);
+    if (need > (size_t) max_uri_size ||
+	(int) need < (int) len1 ||
+	(int) need < (int) len2)
+	return StrAllocCopy(return_value, "");
+
+    result = tail = (char *) LYalloca(need);
     if (result == NULL) {
 	outofmem(__FILE__, "HTParse");
+
+	assert(result != NULL);
     }
     *result = '\0';
     name = result + len;
@@ -674,21 +684,28 @@ const char *HTParseAnchor(const char *aName)
 	 * keeping in mind scan() peculiarities on schemes:
 	 */
 	struct struct_parts given;
+	size_t need = ((unsigned) ((p - aName) + (int) strlen(p) + 1));
+	char *name;
 
-	char *name = (char *) LYalloca((unsigned) ((p - aName)
-						   + (int) strlen(p) + 1));
+	if (need > (size_t) max_uri_size) {
+	    p += strlen(p);
+	} else {
+	    name = (char *) LYalloca(need);
 
-	if (name == NULL) {
-	    outofmem(__FILE__, "HTParseAnchor");
-	}
-	strcpy(name, aName);
-	scan(name, &given);
-	LYalloca_free(name);
-
-	p++;			/*next to '#' */
-	if (given.anchor == NULL) {
-	    for (; *p; p++)	/*scroll to end '\0' */
-		;
+	    if (name == NULL) {
+		outofmem(__FILE__, "HTParseAnchor");
+
+		assert(name != NULL);
+	    }
+	    strcpy(name, aName);
+	    scan(name, &given);
+	    LYalloca_free(name);
+
+	    p++;		/*next to '#' */
+	    if (given.anchor == NULL) {
+		for (; *p; p++)	/*scroll to end '\0' */
+		    ;
+	    }
 	}
     }
     return p;
diff --git a/src/LYGlobalDefs.h b/src/LYGlobalDefs.h
index d0c5ab1..cc3e1e8 100644
--- a/src/LYGlobalDefs.h
+++ b/src/LYGlobalDefs.h
@@ -305,6 +305,7 @@ extern "C" {
     extern int max_cookies_buffer;
     extern int max_cookies_domain;
     extern int max_cookies_global;
+    extern int max_uri_size;
 #ifdef USE_SESSIONS
     extern short session_limit;	/* maximal entries saved/restored
 				   in session file */
diff --git a/src/LYMain.c b/src/LYMain.c
index 126a30f..0ccebe5 100644
--- a/src/LYMain.c
+++ b/src/LYMain.c
@@ -494,6 +494,7 @@ int lynx_temp_subspace = 0;	/* > 0 if we made temp-directory */
 int max_cookies_domain = 50;
 int max_cookies_global = 500;
 int max_cookies_buffer = 4096;
+int max_uri_size = 8192;
 int nlinks = 0;			/* number of links in memory */
 int outgoing_mail_charset = -1;	/* translate mail to this charset */
 


Index: lynx.spec
===================================================================
RCS file: /cvs/extras/rpms/lynx/F-13/lynx.spec,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -p -r1.63 -r1.64
--- lynx.spec	13 Jan 2010 08:59:26 -0000	1.63
+++ lynx.spec	7 Jul 2010 14:36:49 -0000	1.64
@@ -1,7 +1,7 @@
 Summary: A text-based Web browser
 Name: lynx
 Version: 2.8.7
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 Group: Applications/Internet
 Source: http://lynx.isc.org/lynx%{version}/lynx%{version}.tar.bz2
@@ -11,6 +11,8 @@ Patch1: lynx-2.8.6-backgrcolor.patch
 Patch2: lynx-build-fixes.patch
 Patch3: lynx-CVE-2008-4690.patch
 Patch4: lynx-2.8.7-bm-del.patch
+Patch5: lynx-2.8.7-alloca.patch
+
 Provides: webclient
 Provides: text-www-browser
 BuildRequires: gettext
@@ -53,6 +55,9 @@ exits quickly and swiftly displays web p
 # by group (#486070)
 %patch4 -p1
 
+# bz #605286
+%patch5 -p1
+
 perl -pi -e "s,^HELPFILE:.*,HELPFILE:file://localhost/usr/share/doc/lynx-%{version}/lynx_help/lynx_help_main.html,g" lynx.cfg
 perl -pi -e "s,^DEFAULT_INDEX_FILE:.*,DEFAULT_INDEX_FILE:http://www.google.com/,g" lynx.cfg
 perl -pi -e 's,^#LOCALE_CHARSET:.*,LOCALE_CHARSET:TRUE,' lynx.cfg
@@ -124,6 +129,9 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace,missingok) %{_sysconfdir}/lynx-site.cfg
 
 %changelog
+* Wed Jul 07 2010 Kamil Dudka <kdudka at redhat.com> - 2.8.7-3
+- upstream patch that limits length of parsed URIs (#605286)
+
 * Wed Jan 13 2010 Kamil Dudka <kdudka at redhat.com> - 2.8.7-2
 - make it possible to delete a bookmark when ~/lynx_bookmarks.html is writable
   by group (#486070)



More information about the scm-commits mailing list