commit f1b931905e180ae805178d00d007b823f1a9d013 Author: Jaak Ristioja Date: Thu Jun 27 22:57:03 2013 +0300 Fixed an NULL pointer dereference. A crash is caused by a NULL pointer dereference, because pBufRes = (char *)findSizeStart(pBuf); might return NULL after which pBuf = pBufRes; and pBuf++; pBuf = strstr(pBuf, " CURLHTTPTransport::getDirList(const char *dirURL) { fSize *= 1024; else if (pBufRes[0] == 'M') fSize *= 1048576; + pBuf = pBufRes; } struct DirEntry i; i.name = possibleName; i.size = (long unsigned int)fSize; i.isDirectory = (possibleName[possibleNameLength-1] == '/'); dirList.push_back(i); - pBuf = pBufRes; } else { pBuf += possibleNameLength; } commit b848916c803b82deaa24654c0c4c2c192b2db439 Author: Jaak Ristioja Date: Thu Jun 27 23:25:45 2013 +0300 Fixed buffer overflow. The sprintf() call didn't count for the fact that possibleNameLength might be greater than 399. DISCLAIMER: This is one of the most terrible patches I've ever written. But I hope this makes the Sword guys happy if post them a patch where I adhere to their coding standards. I will attempt to fix this in the future. diff --git a/src/mgr/curlhttpt.cpp b/src/mgr/curlhttpt.cpp index 8dfe768..3b41167 100644 --- a/src/mgr/curlhttpt.cpp +++ b/src/mgr/curlhttpt.cpp @@ -25,6 +25,7 @@ #include #include +#include #include #include @@ -209,17 +210,20 @@ vector CURLHTTPTransport::getDirList(const char *dirURL) { SWBuf dirBuf; const char *pBuf; char *pBufRes; - char possibleName[400]; + char * possibleName; double fSize; - int possibleNameLength = 0; + size_t possibleNameLength; if (!getURL("", dirURL, &dirBuf)) { pBuf = strstr(dirBuf, " pBuf); possibleNameLength = pBufRes - pBuf; - sprintf(possibleName, "%.*s", possibleNameLength, pBuf); + possibleName = new char[possibleNameLength + 1u]; + memcpy(possibleName, pBuf, possibleNameLength); + possibleName[possibleNameLength] = '\0'; if (isalnum(possibleName[0])) { SWLog::getSystemLog()->logDebug("getDirListHTTP: Found a file: %s", possibleName); pBuf = pBufRes; @@ -242,6 +246,8 @@ vector CURLHTTPTransport::getDirList(const char *dirURL) { } else { pBuf += possibleNameLength; } + delete[] possibleName; + pBuf++; pBuf = strstr(pBuf, " Date: Mon Jul 1 18:45:19 2013 +0300 Fixed another overflow bug. diff --git a/src/mgr/curlhttpt.cpp b/src/mgr/curlhttpt.cpp index 3b41167..32c110a 100644 --- a/src/mgr/curlhttpt.cpp +++ b/src/mgr/curlhttpt.cpp @@ -219,6 +219,8 @@ vector CURLHTTPTransport::getDirList(const char *dirURL) { while (pBuf != NULL) { pBuf += 9;//move to the start of the actual name. pBufRes = (char *)strchr(pBuf, '\"');//Find the end of the possible file name + if (!pBufRes) + break; assert(pBufRes > pBuf); possibleNameLength = pBufRes - pBuf; possibleName = new char[possibleNameLength + 1u];