Bug#319489: Buffer overflow in Description parsing

Sat, 23 Jul 2005 07:13:05 -0700 

On Fri, Jul 22, 2005 at 10:28:10AM -0400, Anthony DeRobertis wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> In helpers.cpp, we find this code, which parses data returned from ebay:
> 
>    /*
>     * Parse the description out of the buffer first. This is
>     * most easily done at the buffer-level and not as we try
>     * to read the buffer in a line-oriented manner. There is
>     * probably a need to re-write this parser all together,
>     * but that's not what I'm going to do right now.
>     * Thanks to Bob Beaty!
>     */
>    scratch = strstr(Buff, ") -");
>    if (scratch != NULL) {
>      // move past the ") -"
>      scratch += 3;
>      // move past any whitespace
>      while (isspace(*scratch)) scratch++;
>      // copy over the description to a newline
>      idx = 0;
>      while (*scratch != '\n') {
>        Description[idx++] = *scratch++;
>      }
>      // NULL terminate the description I just parsed off
>      Description[idx] = '\0';
>    } else {
>      return FALSE;
>    }
> 
> Notice how it copies an abitrary amount of data, as much as ebay returns
> before \n, into Description. 

This should work for now.

Index: helpers.cpp
===================================================================
RCS file: /cvsroot/bidwatcher/bidwatcher/Attic/helpers.cpp,v
retrieving revision 1.90.2.58
diff -u -r1.90.2.58 helpers.cpp
--- helpers.cpp 15 May 2005 21:53:00 -0000      1.90.2.58
+++ helpers.cpp 23 Jul 2005 13:45:32 -0000
@@ -1043,7 +1043,7 @@
     }
   }

-   int idx=0;
+   unsigned idx=0;
    int cnt;
    int ended_early=0;
    int auc_type=TYPE_EBAY;
@@ -1086,7 +1086,7 @@
      while (isspace(*scratch)) scratch++;
      // copy over the description to a newline
      idx = 0;
-     while (*scratch != '\n') {
+     while (*scratch != '\n' && idx < sizeof Description) {
        Description[idx++] = *scratch++;
      }
      // NULL terminate the description I just parsed off



> The rest of this struct looks disturbing, too.

Welcome to inheriting a large chunk of code written by people who aren't
around anymore.  ;-)

I actually did go around a long while ago and fix a lot of these types
of things, but that one didn't jump out at me.  Thanks for bringing it
up.

-kpd


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to