[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LYNX-DEV Lynx 2-7-1 Bug in forms handling code.

From: Rick Mallett
Subject: LYNX-DEV Lynx 2-7-1 Bug in forms handling code.
Date: Thu, 29 May 1997 16:33:04 -0400 (EDT)

This bug relates to mishandling of very large value fields in the latest
version of lynx 2-7-1 plus dated May 29,1997. The problem
was reported by one of our users who got a segment violation (signal 11)
when she attempted to use a form at
a WWW based newsgroup which uses HTML forms for posting messages and/or
followups. To cut a long story short, it seems that if the default value
for a textarea forms entry is greater than 1024 characters there will be
a memory overrun on the last line of LYSetupEdit in LYStrings.c when the
function attempts to copy the long string into a 1024 byte buffer. The 
statement in question is
   strcpy(edit->buffer, old);
where old is the very long string (the default value of the textarea) and
edit->buffer is a 1024 byte buffer (typedef EditFieldData in LYStrings.h).

LYSetupEdit is actually passed the length of the buffer as its third 
argument so it should be possible to replace the errant line by the
   if (strlen(old) >= maxstr) {
       edit->buffer[maxstr] = '\0';
   } else

although there might be a more elegant way to handle the problem as in
malloc'ing the space for edit->buffer etc. If the string is truncated 
as shown above I would think that a statusline message would be in 

Rick Mallett
Carleton University

Email address: address@hidden
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]