1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
It appears that the problem is a fixed-length prompt string buffer in
rcstuff.c. The following patch increases the length of the buffer and
also changes all the sprintfs to snprintfs, so that in the worst case
the prompt will merely be truncated instead of the stack being
corrupted.
This patch was developed for trn version 3.6.
The same flawed approach (sprintf to a fixed length buffer) is also
used in other places in trn. It seems like it could use a general
cleanup, but I don't really have time for that at the moment, and with
version 4 already existing I'm not sure it's worth it.
--- rcstuff.c.orig Sat Aug 20 16:47:59 1994
+++ rcstuff.c Sun Jan 6 21:55:51 2002
@@ -282,7 +282,8 @@
int flags;
{
char *ntoforget;
- char promptbuf[128];
+#define PBLEN 240
+ char promptbuf[PBLEN+1];
int autosub;
#ifdef VERBOSE
@@ -347,11 +348,11 @@
} else {
#ifdef VERBOSE
IF(verbose)
- sprintf(promptbuf,"\nNewsgroup %s not in .newsrc -- subscribe?",ngname);
+ snprintf(promptbuf,PBLEN,"\nNewsgroup %s not in .newsrc -- subscribe?",ngname);
ELSE
#endif
#ifdef TERSE
- sprintf(promptbuf,"\nSubscribe %s?",ngname);
+ snprintf(promptbuf,PBLEN,"\nSubscribe %s?",ngname);
#endif
reask_add:
in_char(promptbuf,'A',"ynYN");
@@ -418,13 +419,13 @@
else if (rcchar[ng] == NEGCHAR) { /* unsubscribed? */
#ifdef VERBOSE
IF(verbose)
- sprintf(promptbuf,
+ snprintf(promptbuf, PBLEN,
"\nNewsgroup %s is unsubscribed -- resubscribe?",ngname)
FLUSH;
ELSE
#endif
#ifdef TERSE
- sprintf(promptbuf,"\nResubscribe %s?",ngname)
+ snprintf(promptbuf,PBLEN,"\nResubscribe %s?",ngname)
FLUSH;
#endif
reask_unsub:
|
