From 9d43babde2a0959318ae9ed6269c1baa010c2336 Mon Sep 17 00:00:00 2001 From: Jonas Fonseca Date: Sun, 26 Nov 2006 22:30:41 +0100 Subject: [PATCH 1/3] Fix out-of-bound access to the quote_char buffer The quote_level was decremented unconditionally and could become negative resulting in a negative index after applying "modulus 2". Reproducable with an HTML file contianing "". Reported by paakku. --- src/document/html/parser/general.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/document/html/parser/general.c b/src/document/html/parser/general.c index c68a4828..1184bf2b 100644 --- a/src/document/html/parser/general.c +++ b/src/document/html/parser/general.c @@ -114,7 +114,12 @@ html_quote_close(struct html_context *html_context, unsigned char *a, unsigned char *xxx3, unsigned char *xxx4, unsigned char **xxx5) { - unsigned char *q = quote_char[--html_context->quote_level % 2]; + unsigned char *q; + + if (html_context->quote_level > 0) + html_context->quote_level--; + + q = quote_char[html_context->quote_level % 2]; put_chrs(html_context, q, 1); } From 7e9fc6f33b33e076d16a1b02ab011df92e2641a8 Mon Sep 17 00:00:00 2001 From: Jonas Fonseca Date: Tue, 28 Nov 2006 21:49:35 +0100 Subject: [PATCH 2/3] 6 GB funny --- contrib/elinks.fortune | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/contrib/elinks.fortune b/contrib/elinks.fortune index 13eaa71e..bcaf543e 100644 --- a/contrib/elinks.fortune +++ b/contrib/elinks.fortune @@ -107,3 +107,9 @@ Scrool > pasky: HTML renderer doesn't work well with double-width characters. I Scrool > What's that? Scrool > It kills my current build. Miciah > Scary! +% + paakku> fonseca: I think quote_level should be unsigned after all, in case it + overflows in html_quote on a 64-bit machine. +fonseca> paakku: I am curious why you especially mention 64-bit? + paakku> 64-bit because exploiting this is likely to need a 6 GB HTML page and + that is not possible on 32-bit. From 85e3a094704b0250f8dd5b0801bc94473612db3e Mon Sep 17 00:00:00 2001 From: Jonas Fonseca Date: Thu, 30 Nov 2006 16:25:49 +0100 Subject: [PATCH 3/3] Add a stupid test script to print CGI variables set by ELinks To use it to test whether that CGI works put the following in your elinks.conf: set protocol.file.cgi.policy = 1 set protocol.file.cgi.path = "/path/to/elinks/test/cgi" Then point ELinks to the print-vars.sh script inside the CGI test directory in the ELinks source directory. --- test/cgi/print-vars.sh | 45 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100755 test/cgi/print-vars.sh diff --git a/test/cgi/print-vars.sh b/test/cgi/print-vars.sh new file mode 100755 index 00000000..449dd70a --- /dev/null +++ b/test/cgi/print-vars.sh @@ -0,0 +1,45 @@ +#!/bin/sh +# +# Print all variables set by ELinks +# + +cat < + CGI variables + +EOF + +for var in \ + CONTENT_LENGTH \ + GATEWAY_INTERFACE \ + HTTP_ACCEPT \ + HTTP_ACCEPT_LANGUAGE \ + HTTP_CACHE_CONTROL \ + HTTP_COOKIE \ + HTTP_IF_MODIFIED_SINCE \ + HTTP_PRAGMA \ + HTTP_REFERER \ + HTTP_USER_AGENT \ + PATH_TRANSLATED \ + QUERY_STRING \ + REDIRECT_STATUS \ + REMOTE_ADDR \ + REQUEST_METHOD \ + SCRIPT_FILENAME \ + SCRIPT_NAME \ + SERVER_NAME \ + SERVER_PROTOCOL \ + SERVER_SOFTWARE; +do + eval val=$`echo $var` + echo ""; +done + +cat < + + +EOF +
$var$val