www/w3m/patches/patch-ag


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

$NetBSD: patch-ag,v 1.1 2001/06/24 05:57:24 itojun Exp $

plug buffer overrun vulnerability in mime charset parsing
http://mi.med.tohoku.ac.jp/~satodai/w3m-dev-en/200106.month/537.html

--- mimehead.c	Sun Jun 24 14:49:45 2001
+++ mimehead.c	Sun Jun 24 14:46:53 2001
@@ -173,27 +173,26 @@
 decodeWord(char **ow)
 {
 #endif
-    char buf[32];
     char *p, *w = *ow;
     char method;
     Str a = Strnew();
+    Str cs = Strnew();
 
     if (*w != '=' || *(w + 1) != '?')
 	goto convert_fail;
     w += 2;
-    for (p = buf; p - buf < 31 && *w != '?'; w++) {
+    for (; *w != '?'; w++) {
 	if (*w == '\0')
 	    goto convert_fail;
-	*(p++) = *w;
+	Strcat_char(cs, *w);
     }
-    *p = '\0';
 #ifdef USE_M17N
-    c = wc_guess_charset(buf, 0);
+    c = wc_guess_charset(cs->ptr, 0);
     if (! c)
 	goto convert_fail;
 #else
-    if (strcasecmp(buf, "ISO-8859-1") != 0 &&
-	strcasecmp(buf, "US_ASCII") != 0)
+    if (Strcasecmp_charp(cs, "ISO-8859-1") != 0 &&
+        Strcasecmp_charp(cs, "US_ASCII") != 0)
 	/* NOT ISO-8859-1 encoding ... don't convert */
 	goto convert_fail;
 #endif