Re: VFS crash fixed

Hi, Andrew!

> : I remember rare crashes in MC after intensive use of different types of
> : VFS. This must be the fix for that problem.
> It seems now mc will crash after derefencing of NULL(s).

It doesn't crash for me. I tested it very carefully.

The crash always happened in is_num(), and this function checks columns[idx]
before dereferencing it.

>From what I see, the code is careful to call is_num() before calling
atol(), but some other libc functions may be indeed called with NULL, for
example, is_dos_date() may pass NULL to strlen().

Maybe some wrong input could crash MC. Connecting to a compromized ssh
server with fish may be a security risk.

> The real problem is a buffer overflow. There are a lot of places where
> index is incremented without checking of real number of members in columns.
> May be it is more right to write a columns () function to return nth element
> of that array.

What I really really want to do is to replace all that code with a yacc
program some day. The real problem is not having it.

> And now it is more right fill `columns' with pointers to empty string ("").

Let me think about it. I'll do it tomorrow unless I find something better.

Pavel Roskin

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]