From: Robert Wilhelm (robert.wilhelm_at_gmx.net)
Date: Mon Mar 08 2004 - 15:00:55 EST
Today I was able to trace the reason of all these "AbiWord 2.0.3"
crashes on Windows during import of Word dokument:
The stylesheet.c patch which some unamed abi hacker commited on 1.1.2004
seems to be utterly broken:
- b is initialized in every iteration of the loop.
- item->xstzName is used in strncat without initialising it.
- the terminating null is not taken into account when checking
if there is enough space
- the third argument to strncat is the maximum number of chars to be
concated, not the maximum result lenght.
I have appended a patch.
Robert
--- stylesheet.c 2004-03-02 21:03:22.000000000 +0100
+++ /home/robert/stylesheet.c 2004-03-08 19:45:59.000000000 +0100
@@ -121,6 +121,7 @@
U16 count = 0;
U32 allocName = 0; /* length allocated for xstzName */
iconv_t conv = NULL;
+ U32 b = 0;
wvInitSTD (item); /* zero any new fields that might not exist in the file */
@@ -191,11 +192,12 @@
wvTrace (("doing a std, str len is %d\n", len + 1));
allocName = (len + 1) * sizeof (char);
item->xstzName = (char *) wvMalloc (allocName);
+ *(item->xstzName) = 0;
+ b = 0;
conv = iconv_open("utf-8", "UCS-2");
for (i = 0; i < len + 1; i++)
{
- U32 b = 0;
if (count < 10)
{
/* Hub: IMHO we should perform a conversion here */
@@ -205,7 +207,7 @@
else
{
char buf[16];
- char * tmp;
+ char * tmp;
const char * tmp2;
size_t insz, sz;
temp16 = read_16ubit (fd);
@@ -214,17 +216,17 @@
tmp = buf;
sz = sizeof(buf);
iconv (conv, &tmp2, &insz, &tmp, &sz);
- while (b + (sizeof(buf) - sz) >= allocName) {
- allocName *= 2;
+ while ((b + sizeof(buf) - sz + 1) >= allocName) {
+ allocName *= 2;
item->xstzName = (char *) realloc(item->xstzName, allocName);
}
if (sz) {
*tmp = 0;
}
- strncat (item->xstzName, buf, allocName);
+ strncat (item->xstzName, buf, sizeof(buf) - sz);
b += (sizeof(buf) - sz);
pos += 2;
-
+
}
wvTrace (("sample letter is %c\n", item->xstzName[i]));
This archive was generated by hypermail 2.1.4 : Mon Mar 08 2004 - 15:02:20 EST