Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Lynx 2.8 overflow

Lynx 2.8 overflow

Mixter (mixterHOME.POPMAIL.COM)
Tue, 16 Mar 1999 00:26:31 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: aleph1UNDERGROUND.ORG: "Microsoft Security Bulletin (MS99-009)"
Previous message: kasper: "/usr/bin/doscmd on BSDI"

Sorry if this is a well-known bug

This was tested with Lynx Version 2.8.1pre.9.
An IMG tag with a width of about 250 chars instantly crashes
this version (and probably others). This bug is not
limited to lynx, it was first discovered with MSIE 4/5.

As far as I know, the overflow is due to a limited and
non-checked buffer in function strrchr() ...

Here is some sample code:
<img width=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001>
FAILED<br><br>

Mixter

----------------------
members.xoom.com/i0wnu

Next message: aleph1UNDERGROUND.ORG: "Microsoft Security Bulletin (MS99-009)"
Previous message: kasper: "/usr/bin/doscmd on BSDI"