#! /bin/sh /usr/share/dpatch/dpatch-run ## 04_CVE-2004-1617.dpatch from the OpenBSD project. ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: CVE-2004-1617: Lynx allows remote attackers to cause a denial of service ## DP: (infinite loop) via a web page or HTML email that contains invalid HTML ## DP: including (1) a TEXTAREA tag with a large COLS value and (2) a large tag ## DP: name in an element that is not terminated. @DPATCH@ diff -urNad lynx-2.8.5~/src/GridText.c lynx-2.8.5/src/GridText.c --- lynx-2.8.5~/src/GridText.c 2004-01-28 19:30:38.000000000 +0000 +++ lynx-2.8.5/src/GridText.c 2006-05-12 15:12:32.000000000 +0100 @@ -9589,8 +9589,8 @@ /* * Set SIZE. */ - if (I->size != NULL) { - f->size = atoi(I->size); + if (I->size != 0) { + f->size = I->size; /* * Leave at zero for option lists. */ diff -urNad lynx-2.8.5~/src/HTForms.h lynx-2.8.5/src/HTForms.h --- lynx-2.8.5~/src/HTForms.h 2003-06-02 02:16:28.000000000 +0100 +++ lynx-2.8.5/src/HTForms.h 2006-05-12 15:12:32.000000000 +0100 @@ -40,7 +40,7 @@ CONST char *md; CONST char *min; CONST char *name; - CONST char *size; + int size; CONST char *src; CONST char *type; char *value; diff -urNad lynx-2.8.5~/src/HTML.c lynx-2.8.5/src/HTML.c --- lynx-2.8.5~/src/HTML.c 2004-01-19 12:16:02.000000000 +0000 +++ lynx-2.8.5/src/HTML.c 2006-05-12 15:12:32.000000000 +0100 @@ -80,6 +80,19 @@ #define STACKLEVEL(me) ((me->stack + MAX_NESTING - 1) - me->sp) +#define DFT_TEXTAREA_COLS 60 +#define DFT_TEXTAREA_ROWS 4 + +#define MAX_TEXTAREA_COLS LYcolLimit +#define MAX_TEXTAREA_ROWS (3 * LYlines) + +#define LimitValue(name, value) \ + if (name > value) { \ + CTRACE((tfp, "Limited " #name " to %d, was %d\n", \ + value, name)); \ + name = value; \ + } + struct _HTStream { CONST HTStreamClass * isa; #ifdef USE_SOURCE_CACHE @@ -4316,7 +4329,7 @@ I.align=NULL; I.accept=NULL; I.checked=NO; I.class=NULL; I.disabled=NO; I.error=NULL; I.height= NULL; I.id=NULL; I.lang=NULL; I.max=NULL; I.maxlength=NULL; I.md=NULL; - I.min=NULL; I.name=NULL; I.size=NULL; I.src=NULL; + I.min=NULL; I.name=NULL; I.size=0; I.src=NULL; I.type=NULL; I.value=NULL; I.width=NULL; I.accept_cs = NULL; I.name_cs = ATTR_CS_IN; @@ -4502,7 +4515,7 @@ I.align=NULL; I.accept=NULL; I.checked=NO; I.class=NULL; I.disabled=NO; I.error=NULL; I.height= NULL; I.id=NULL; I.lang=NULL; I.max=NULL; I.maxlength=NULL; I.md=NULL; - I.min=NULL; I.name=NULL; I.size=NULL; I.src=NULL; + I.min=NULL; I.name=NULL; I.size=0; I.src=NULL; I.type=NULL; I.value=NULL; I.width=NULL; I.accept_cs = NULL; I.name_cs = ATTR_CS_IN; @@ -4794,7 +4807,7 @@ I.checked = YES; if (present && present[HTML_INPUT_SIZE] && value[HTML_INPUT_SIZE] && *value[HTML_INPUT_SIZE]) - I.size = value[HTML_INPUT_SIZE]; + I.size = atoi(value[HTML_INPUT_SIZE]); if (present && present[HTML_INPUT_MAXLENGTH] && value[HTML_INPUT_MAXLENGTH] && *value[HTML_INPUT_MAXLENGTH]) I.maxlength = value[HTML_INPUT_MAXLENGTH]; @@ -5033,26 +5046,28 @@ if (present && present[HTML_TEXTAREA_COLS] && value[HTML_TEXTAREA_COLS] && isdigit(UCH(*value[HTML_TEXTAREA_COLS]))) - StrAllocCopy(me->textarea_cols, value[HTML_TEXTAREA_COLS]); + me->textarea_cols = atoi(value[HTML_TEXTAREA_COLS]); else { int width; width = LYcols - 1 - me->new_style->leftIndent - me->new_style->rightIndent; if (dump_output_immediately) /* don't waste too much for this */ - width = HTMIN(width, 60); + width = HTMIN(width, DFT_TEXTAREA_COLS); if (width > 1 && (width-1)*6 < MAX_LINE - 3 - me->new_style->leftIndent - me->new_style->rightIndent) - HTSprintf0(&me->textarea_cols, "%d", width); + me->textarea_cols = width; else - StrAllocCopy(me->textarea_cols, "60"); + me->textarea_cols = DFT_TEXTAREA_COLS; } + LimitValue(me->textarea_cols, MAX_TEXTAREA_COLS); if (present && present[HTML_TEXTAREA_ROWS] && value[HTML_TEXTAREA_ROWS] && isdigit(UCH(*value[HTML_TEXTAREA_ROWS]))) me->textarea_rows = atoi(value[HTML_TEXTAREA_ROWS]); else - me->textarea_rows = 4; + me->textarea_rows = DFT_TEXTAREA_ROWS; + LimitValue(me->textarea_rows, MAX_TEXTAREA_ROWS); if (present && present[HTML_TEXTAREA_DISABLED]) me->textarea_disabled = YES; @@ -5169,7 +5184,7 @@ I.align=NULL; I.accept=NULL; I.checked=NO; I.class=NULL; I.disabled=NO; I.error=NULL; I.height= NULL; I.id=NULL; I.lang=NULL; I.max=NULL; I.maxlength=NULL; I.md=NULL; - I.min=NULL; I.name=NULL; I.size=NULL; I.src=NULL; + I.min=NULL; I.name=NULL; I.size=0; I.src=NULL; I.type=NULL; I.value=NULL; I.width=NULL; I.accept_cs = NULL; I.name_cs = -1; @@ -6818,7 +6833,7 @@ I.align=NULL; I.accept=NULL; I.checked=NO; I.class=NULL; I.disabled=NO; I.error=NULL; I.height= NULL; I.id=NULL; I.lang=NULL; I.max=NULL; I.maxlength=NULL; I.md=NULL; - I.min=NULL; I.name=NULL; I.size=NULL; I.src=NULL; + I.min=NULL; I.name=NULL; I.size=0; I.src=NULL; I.type=NULL; I.value=NULL; I.width=NULL; I.value_cs = current_char_set; @@ -6969,7 +6984,7 @@ } I.value = temp; chars = HText_beginInput(me->text, me->inUnderline, &I); - for (chars = atoi(me->textarea_cols); chars > 0; chars--) + for (chars = me->textarea_cols; chars > 0; chars--) HTML_put_character(me, '_'); HText_appendCharacter(me->text, '\r'); if (*data == '\n') { @@ -6994,7 +7009,6 @@ HTChunkClear(&me->textarea); FREE(me->textarea_name); me->textarea_name_cs = -1; - FREE(me->textarea_cols); FREE(me->textarea_id); break; } @@ -7541,7 +7555,6 @@ FREE(me->map_address); FREE(me->textarea_name); FREE(me->textarea_accept_cs); - FREE(me->textarea_cols); FREE(me->textarea_id); FREE(me->LastOptionValue); FREE(me->xinclude); @@ -7721,7 +7734,7 @@ me->textarea_name = NULL; me->textarea_name_cs = -1; me->textarea_accept_cs = NULL; - me->textarea_cols = NULL; + me->textarea_cols = 0; me->textarea_rows = 4; me->textarea_disabled = NO; me->textarea_id = NULL; diff -urNad lynx-2.8.5~/src/HTML.h lynx-2.8.5/src/HTML.h --- lynx-2.8.5~/src/HTML.h 2004-01-08 02:03:09.000000000 +0000 +++ lynx-2.8.5/src/HTML.h 2006-05-12 15:12:32.000000000 +0100 @@ -104,7 +104,7 @@ char * textarea_name; int textarea_name_cs; char * textarea_accept_cs; - char * textarea_cols; + int textarea_cols; int textarea_rows; int textarea_disabled; char * textarea_id; diff -urNad lynx-2.8.5~/src/LYCurses.h lynx-2.8.5/src/LYCurses.h --- lynx-2.8.5~/src/LYCurses.h 2004-01-28 19:30:38.000000000 +0000 +++ lynx-2.8.5/src/LYCurses.h 2006-05-12 15:12:32.000000000 +0100 @@ -365,6 +365,24 @@ extern int LYlines; /* replaces LINES */ extern int LYcols; /* replaces COLS */ +/* + * The scrollbar, if used, occupies the rightmost column. + */ +#ifdef USE_SCROLLBAR +#define LYbarWidth (LYShowScrollbar ? 1 : 0) +#else +#define LYbarWidth 0 +#endif + +/* + * Usable limits for display: + */ +#if defined(FANCY_CURSES) || defined(USE_SLANG) +#define LYcolLimit (LYcols - LYbarWidth) +#else +#define LYcolLimit (LYcols - 1) +#endif + #ifdef USE_CURSES_PADS extern WINDOW *LYwin; extern int LYshiftWin; diff -urNad lynx-2.8.5~/userdefs.h lynx-2.8.5/userdefs.h --- lynx-2.8.5~/userdefs.h 2006-05-12 15:11:12.000000000 +0100 +++ lynx-2.8.5/userdefs.h 2006-05-12 15:12:32.000000000 +0100 @@ -1379,6 +1379,8 @@ #define MAXCHARSETS 60 /* max character sets supported */ #define TRST_MAXROWSPAN 10000 /* max rowspan accepted by TRST code */ #define TRST_MAXCOLSPAN 1000 /* max colspan and COL/COLGROUP span accepted */ +#define MAX_TABLE_ROWS 200 /* max rows for tables */ +#define MAX_TABLE_COLS 200 /* max cols for tables */ #define SAVE_TIME_NOT_SPACE /* minimize number of some malloc calls */ /* Win32 may support more, but old win16 helper apps may not. */