Hi Christian,
On 4/12/2025 9:37 AM, Christian Franke via Cygwin wrote:
ggl329 via Cygwin wrote:
Hi all,
I've encountered a possible bug in cygstart.
It seems to abort when a URI is passed to it.
$ cygcheck -dc | grep cygutils
cygutils 1.4.17-3
$ cygstart https://www.google.com
*** buffer overflow detected ***: terminated
Aborted
Possibly no regression but longstanding bug which is now detected thanks
to gcc12's __builtin_dynamic_object_size() feature and -D_FORTIFY_SOURCE=3:
cygstart.c:
cygstart_mbs_to_wcs (const char *mbs_path, wchar_t **wcs_path)
{
...
*wcs_path = (wchar_t *) malloc ((len + 1) * sizeof (wchar_t));
...
// *** buffer overflow detected *** because the length parameter
// should specify the number of characters instead of bytes:
if (mbstowcs (*wcs_path, mbs_path, (len + 1) * sizeof (wchar_t)) ...
...
}
It looks to me like that 'if' statement should read
if (mbstowcs (*wcs_path, *mbs_path, len) ...
because 'len' determined near the top should be the number of characters
involved, without a trailing NUL. Then existing code fills in the NUL
at character index 'len' in the buffer. IOW the converted chars occupy
character indexes 0 thru len-1.
If you concur I can update cygutils with this fix shortly.
Thanks & Regards,
..mark
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
