BBS:      TELESC.NET.BR
Assunto:  src/syncterm/ripper.c
De:       Deuc¨
Data:     Sun, 15 Mar 2026 14:09:13 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/2054747bb2823818ea5d1a0d
Modified Files:
	src/syncterm/ripper.c
Log Message:
Fix multiple ripper.c security and correctness bugs

Security fixes:
- Add path traversal checks (..//\) to LOAD_ICON, WRITE_ICON,
  ENTER_BLOCK_MODE, and font file loading
- Add overflow guard for ICN pixel buffer allocation (32-bit)
- Clamp viewport coordinates to world frame dimensions
- Cap handle_command_str recursion depth to 64
- Fix sprintf stack overflow in FILE_QUERY case 4 (snprintf)
- Guard parse_string NULL return in do_rip_command
- Guard strdup NULL return in bicmp

Correctness fixes:
- Remove incorrect viewport offsets from EXTENDED_TEXT_WINDOW (v2+)
- Fix MOUSE hot field y2 using viewport.sx instead of .sy
- Fix POLY_LINE y1 init using x_dim instead of y_dim
- Fix conn_send length for FILE_QUERY \r\n responses (2 -> 3)
- Fix draw_pixel XOR mode memory leak (freepixels before return)
- Fix ansi_only() missing break before fall-through
- Reject zero dimensions in SET_WORLD_FRAME
- Clamp do_popup dimensions to screen size
- Fix init_rip_ver memory leaks (mouse fields, clipboard, scb)
- Add Amiga font file validation at load time
- Add per-case argc checks in do_skypix
- Handle realloc failure in reinit_screen gracefully
- Add NULL checks for getpixels in set_line and flood fill

Co-Authored-By: Claude Opus 4.6 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]