[9931] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Lynx 2.8 overflow

daemon@ATHENA.MIT.EDU (Mixter)
Tue Mar 16 16:03:57 1999

Date: 	Tue, 16 Mar 1999 00:26:31 +0100
Reply-To: Mixter <mixter@HOME.POPMAIL.COM>
From: Mixter <mixter@HOME.POPMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG

Sorry if this is a well-known bug

This was tested with Lynx Version 2.8.1pre.9.
An IMG tag with a width of about 250 chars instantly crashes
this version (and probably others). This bug is not
limited to lynx, it was first discovered with MSIE 4/5.

As far as I know, the overflow is due to a limited and
non-checked buffer in function strrchr() ...

Here is some sample code:
<img width=000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001>
FAILED<br><br>

Mixter

----------------------
members.xoom.com/i0wnu


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[9931] in bugtraq

Lynx 2.8 overflow

daemon@ATHENA.MIT.EDU (Mixter)Tue Mar 16 16:03:57 1999

daemon@ATHENA.MIT.EDU (Mixter)
Tue Mar 16 16:03:57 1999