rpms/lynx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7ccc59f48f
lynx/lynx-2.8.5-cve_2004_1617.patch

225 lines
7.8 KiB
Diff
Raw Normal View History

automatic version update by autodist [release 2.8.8-1mamba;Sat Feb 15 2014]
2024-01-06 06:37:56 +01:00
#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_CVE-2004-1617.dpatch from the OpenBSD project.
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: CVE-2004-1617: Lynx allows remote attackers to cause a denial of service
## DP: (infinite loop) via a web page or HTML email that contains invalid HTML
## DP: including (1) a TEXTAREA tag with a large COLS value and (2) a large tag
## DP: name in an element that is not terminated.
@DPATCH@
diff -urNad lynx-2.8.5~/src/GridText.c lynx-2.8.5/src/GridText.c
--- lynx-2.8.5~/src/GridText.c 2004-01-28 19:30:38.000000000 +0000
+++ lynx-2.8.5/src/GridText.c 2006-05-12 15:12:32.000000000 +0100
@@ -9589,8 +9589,8 @@
/*
* Set SIZE.
*/
- if (I->size != NULL) {
- f->size = atoi(I->size);
+ if (I->size != 0) {
+ f->size = I->size;
/*
* Leave at zero for option lists.
*/
diff -urNad lynx-2.8.5~/src/HTForms.h lynx-2.8.5/src/HTForms.h
--- lynx-2.8.5~/src/HTForms.h 2003-06-02 02:16:28.000000000 +0100
+++ lynx-2.8.5/src/HTForms.h 2006-05-12 15:12:32.000000000 +0100
@@ -40,7 +40,7 @@
CONST char *md;
CONST char *min;
CONST char *name;
- CONST char *size;
+ int size;
CONST char *src;
CONST char *type;
char *value;
diff -urNad lynx-2.8.5~/src/HTML.c lynx-2.8.5/src/HTML.c
--- lynx-2.8.5~/src/HTML.c 2004-01-19 12:16:02.000000000 +0000
+++ lynx-2.8.5/src/HTML.c 2006-05-12 15:12:32.000000000 +0100
@@ -80,6 +80,19 @@
#define STACKLEVEL(me) ((me->stack + MAX_NESTING - 1) - me->sp)
+#define DFT_TEXTAREA_COLS 60
+#define DFT_TEXTAREA_ROWS 4
+
+#define MAX_TEXTAREA_COLS LYcolLimit
+#define MAX_TEXTAREA_ROWS (3 * LYlines)
+
+#define LimitValue(name, value) \
+ if (name > value) { \
+ CTRACE((tfp, "Limited " #name " to %d, was %d\n", \
+ value, name)); \
+ name = value; \
+ }
+
struct _HTStream {
CONST HTStreamClass * isa;
#ifdef USE_SOURCE_CACHE
@@ -4316,7 +4329,7 @@
I.align=NULL; I.accept=NULL; I.checked=NO; I.class=NULL;
I.disabled=NO; I.error=NULL; I.height= NULL; I.id=NULL;
I.lang=NULL; I.max=NULL; I.maxlength=NULL; I.md=NULL;
- I.min=NULL; I.name=NULL; I.size=NULL; I.src=NULL;
+ I.min=NULL; I.name=NULL; I.size=0; I.src=NULL;
I.type=NULL; I.value=NULL; I.width=NULL;
I.accept_cs = NULL;
I.name_cs = ATTR_CS_IN;
@@ -4502,7 +4515,7 @@
I.align=NULL; I.accept=NULL; I.checked=NO; I.class=NULL;
I.disabled=NO; I.error=NULL; I.height= NULL; I.id=NULL;
I.lang=NULL; I.max=NULL; I.maxlength=NULL; I.md=NULL;
- I.min=NULL; I.name=NULL; I.size=NULL; I.src=NULL;
+ I.min=NULL; I.name=NULL; I.size=0; I.src=NULL;
I.type=NULL; I.value=NULL; I.width=NULL;
I.accept_cs = NULL;
I.name_cs = ATTR_CS_IN;
@@ -4794,7 +4807,7 @@
I.checked = YES;
if (present && present[HTML_INPUT_SIZE] &&
value[HTML_INPUT_SIZE] && *value[HTML_INPUT_SIZE])
- I.size = value[HTML_INPUT_SIZE];
+ I.size = atoi(value[HTML_INPUT_SIZE]);
if (present && present[HTML_INPUT_MAXLENGTH] &&
value[HTML_INPUT_MAXLENGTH] && *value[HTML_INPUT_MAXLENGTH])
I.maxlength = value[HTML_INPUT_MAXLENGTH];
@@ -5033,26 +5046,28 @@
if (present && present[HTML_TEXTAREA_COLS] &&
value[HTML_TEXTAREA_COLS] &&
isdigit(UCH(*value[HTML_TEXTAREA_COLS])))
- StrAllocCopy(me->textarea_cols, value[HTML_TEXTAREA_COLS]);
+ me->textarea_cols = atoi(value[HTML_TEXTAREA_COLS]);
else {
int width;
width = LYcols - 1 -
me->new_style->leftIndent - me->new_style->rightIndent;
if (dump_output_immediately) /* don't waste too much for this */
- width = HTMIN(width, 60);
+ width = HTMIN(width, DFT_TEXTAREA_COLS);
if (width > 1 && (width-1)*6 < MAX_LINE - 3 -
me->new_style->leftIndent - me->new_style->rightIndent)
- HTSprintf0(&me->textarea_cols, "%d", width);
+ me->textarea_cols = width;
else
- StrAllocCopy(me->textarea_cols, "60");
+ me->textarea_cols = DFT_TEXTAREA_COLS;
}
+ LimitValue(me->textarea_cols, MAX_TEXTAREA_COLS);
if (present && present[HTML_TEXTAREA_ROWS] &&
value[HTML_TEXTAREA_ROWS] &&
isdigit(UCH(*value[HTML_TEXTAREA_ROWS])))
me->textarea_rows = atoi(value[HTML_TEXTAREA_ROWS]);
else
- me->textarea_rows = 4;
+ me->textarea_rows = DFT_TEXTAREA_ROWS;
+ LimitValue(me->textarea_rows, MAX_TEXTAREA_ROWS);
if (present && present[HTML_TEXTAREA_DISABLED])
me->textarea_disabled = YES;
@@ -5169,7 +5184,7 @@
I.align=NULL; I.accept=NULL; I.checked=NO; I.class=NULL;
I.disabled=NO; I.error=NULL; I.height= NULL; I.id=NULL;
I.lang=NULL; I.max=NULL; I.maxlength=NULL; I.md=NULL;
- I.min=NULL; I.name=NULL; I.size=NULL; I.src=NULL;
+ I.min=NULL; I.name=NULL; I.size=0; I.src=NULL;
I.type=NULL; I.value=NULL; I.width=NULL;
I.accept_cs = NULL;
I.name_cs = -1;
@@ -6818,7 +6833,7 @@
I.align=NULL; I.accept=NULL; I.checked=NO; I.class=NULL;
I.disabled=NO; I.error=NULL; I.height= NULL; I.id=NULL;
I.lang=NULL; I.max=NULL; I.maxlength=NULL; I.md=NULL;
- I.min=NULL; I.name=NULL; I.size=NULL; I.src=NULL;
+ I.min=NULL; I.name=NULL; I.size=0; I.src=NULL;
I.type=NULL; I.value=NULL; I.width=NULL;
I.value_cs = current_char_set;
@@ -6969,7 +6984,7 @@
}
I.value = temp;
chars = HText_beginInput(me->text, me->inUnderline, &I);
- for (chars = atoi(me->textarea_cols); chars > 0; chars--)
+ for (chars = me->textarea_cols; chars > 0; chars--)
HTML_put_character(me, '_');
HText_appendCharacter(me->text, '\r');
if (*data == '\n') {
@@ -6994,7 +7009,6 @@
HTChunkClear(&me->textarea);
FREE(me->textarea_name);
me->textarea_name_cs = -1;
- FREE(me->textarea_cols);
FREE(me->textarea_id);
break;
}
@@ -7541,7 +7555,6 @@
FREE(me->map_address);
FREE(me->textarea_name);
FREE(me->textarea_accept_cs);
- FREE(me->textarea_cols);
FREE(me->textarea_id);
FREE(me->LastOptionValue);
FREE(me->xinclude);
@@ -7721,7 +7734,7 @@
me->textarea_name = NULL;
me->textarea_name_cs = -1;
me->textarea_accept_cs = NULL;
- me->textarea_cols = NULL;
+ me->textarea_cols = 0;
me->textarea_rows = 4;
me->textarea_disabled = NO;
me->textarea_id = NULL;
diff -urNad lynx-2.8.5~/src/HTML.h lynx-2.8.5/src/HTML.h
--- lynx-2.8.5~/src/HTML.h 2004-01-08 02:03:09.000000000 +0000
+++ lynx-2.8.5/src/HTML.h 2006-05-12 15:12:32.000000000 +0100
@@ -104,7 +104,7 @@
char * textarea_name;
int textarea_name_cs;
char * textarea_accept_cs;
- char * textarea_cols;
+ int textarea_cols;
int textarea_rows;
int textarea_disabled;
char * textarea_id;
diff -urNad lynx-2.8.5~/src/LYCurses.h lynx-2.8.5/src/LYCurses.h
--- lynx-2.8.5~/src/LYCurses.h 2004-01-28 19:30:38.000000000 +0000
+++ lynx-2.8.5/src/LYCurses.h 2006-05-12 15:12:32.000000000 +0100
@@ -365,6 +365,24 @@
extern int LYlines; /* replaces LINES */
extern int LYcols; /* replaces COLS */
+/*
+ * The scrollbar, if used, occupies the rightmost column.
+ */
+#ifdef USE_SCROLLBAR
+#define LYbarWidth (LYShowScrollbar ? 1 : 0)
+#else
+#define LYbarWidth 0
+#endif
+
+/*
+ * Usable limits for display:
+ */
+#if defined(FANCY_CURSES) || defined(USE_SLANG)
+#define LYcolLimit (LYcols - LYbarWidth)
+#else
+#define LYcolLimit (LYcols - 1)
+#endif
+
#ifdef USE_CURSES_PADS
extern WINDOW *LYwin;
extern int LYshiftWin;
diff -urNad lynx-2.8.5~/userdefs.h lynx-2.8.5/userdefs.h
--- lynx-2.8.5~/userdefs.h 2006-05-12 15:11:12.000000000 +0100
+++ lynx-2.8.5/userdefs.h 2006-05-12 15:12:32.000000000 +0100
@@ -1379,6 +1379,8 @@
#define MAXCHARSETS 60 /* max character sets supported */
#define TRST_MAXROWSPAN 10000 /* max rowspan accepted by TRST code */
#define TRST_MAXCOLSPAN 1000 /* max colspan and COL/COLGROUP span accepted */
+#define MAX_TABLE_ROWS 200 /* max rows for tables */
+#define MAX_TABLE_COLS 200 /* max cols for tables */
#define SAVE_TIME_NOT_SPACE /* minimize number of some malloc calls */
/* Win32 may support more, but old win16 helper apps may not. */
Reference in New Issue Copy Permalink