fix: replace fixed 1023-byte stack buffer with GString in main_url_handler#1327
Merged
karlkleinpaste merged 1 commit intoJun 19, 2026
Merged
Conversation
Contributor
|
This one has conflicts. Looking at how the code at now stands, with the other 4 PRs complete (did I cause the conflict by completing others out of order?), I'm a bit mystified for what to do with this. If you could take a 2nd look and adjust it, I'll be happy to complete it. |
…ndler The URL handler for passagestudy.jsp-style URLs used a fixed 1023-byte stack buffer (tmpbuf) with strncpy to extract the portion of the URL before '?'. When the URL prefix before '?' exceeded 1022 characters, strncpy would fill the buffer without null termination, and the subsequent null-byte write at tmpbuf[place - url] would write past the boundary. Replace with dynamic GString allocation via g_string_append_len.
hyder365
force-pushed
the
pr-0001-fix-stack-buffer
branch
from
1359bf6 to
3a7ae4b
Compare
Contributor
Author
|
Rebased this branch onto current master and resolved the conflict. The updated diff keeps the missing- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The URL handler for passagestudy.jsp-style URLs used a fixed 1023-byte
stack buffer (tmpbuf) with strncpy to extract the portion of the URL
before '?'. When the URL prefix before '?' exceeds 1022 characters,
strncpy fills the buffer without null termination, and the subsequent
null-byte write at tmpbuf[place - url] writes past the boundary.
Replace with dynamic GString allocation via g_string_append_len.
Commit adf7ae7 upstream added a null-pointer check for the result of
strchr(url, '?'), which is important but does not address the
fixed-buffer overflow. This fix replaces the stack buffer entirely.