fetchf_uristring() was failing to handle error values from fetch_setting(), resulting in its attempting to allocate extremely large temporary buffers on the stack (and so overrunning the stack and locking up the machine). Problem reported by Shao Miller <Shao.Miller@yrdsb.edu.on.ca>.

17年前 · 4e6b62c946
--- a/src/core/settings.c
+++ b/src/core/settings.c
 
															
															 static int fetchf_uristring ( struct settings *settings,
														
 
															
															 			      struct setting *setting,
														
 
															
															 			      char *buf, size_t len ) {
														
 
															
															-	size_t raw_len;
														
 
															
															+	ssize_t raw_len;
														
 
															
															 	/* We need to always retrieve the full raw string to know the
														
 
															
															 	 * length of the encoded string.
														
 
															
															 	 */
														
 
															
															 	raw_len = fetch_setting ( settings, setting, NULL, 0 );
														
 
															
															+	if ( raw_len < 0 )
														
 
															
															+		return raw_len;
														
 
															
															+
														
 
															
															 	{
														
 
															
															 		char raw_buf[ raw_len + 1 ];