Mailinglist Archive: opensuse-bugs (15092 mails)
| < Previous | Next > |
[Bug 309009] sax2: segfault in sysp server detection
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Wed, 12 Sep 2007 16:42:24 -0600 (MDT)
- Message-id: <20070912224224.E77EDCC789@xxxxxxxxxxxxxxxxxxxxxx>
https://bugzilla.novell.com/show_bug.cgi?id=309009#c16
Michal Kubeček <bh-novell@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
Info Provider|bh-novell@xxxxxxxxx |
--- Comment #16 from Michal Kubeček <bh-novell@xxxxxxxxx> 2007-09-12 16:42:20 MST ---
Created an attachment (id=163715)
--> (https://bugzilla.novell.com/attachment.cgi?id=163715)
proposed patch fixing the buffer overflow
I think I've found the problem: the segfault occurs when the log file contains
a (double-)quoted string longer than 261 characters (input device list in my
case). It is caused by these statements in sysp/lib/plog/parse.l:
S [\"][^\"]*[\"]
{S} { strcpy(yylval.string,yytext); return(STRING); }
since type of yylval is declared in sysp/lib/plog/parse.yc as
%union
{
float reel;
int integer;
char string[256];
}
An easy solution would be to copy only first 255 characters for {S}. As STRING
is used only in chipset specification, this should do no harm.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Michal Kubeček <bh-novell@xxxxxxxxx> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
Info Provider|bh-novell@xxxxxxxxx |
--- Comment #16 from Michal Kubeček <bh-novell@xxxxxxxxx> 2007-09-12 16:42:20 MST ---
Created an attachment (id=163715)
--> (https://bugzilla.novell.com/attachment.cgi?id=163715)
proposed patch fixing the buffer overflow
I think I've found the problem: the segfault occurs when the log file contains
a (double-)quoted string longer than 261 characters (input device list in my
case). It is caused by these statements in sysp/lib/plog/parse.l:
S [\"][^\"]*[\"]
{S} { strcpy(yylval.string,yytext); return(STRING); }
since type of yylval is declared in sysp/lib/plog/parse.yc as
%union
{
float reel;
int integer;
char string[256];
}
An easy solution would be to copy only first 255 characters for {S}. As STRING
is used only in chipset specification, this should do no harm.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
| < Previous | Next > |