1. Forum
  2. DOVE-Net
  3. Synchronet Programming

  • src/syncterm/ripper.c

    From Deuc¿@VERT to Git commit to main/sbbs/master on Wednesday, April 26, 2023 12:14:15
    https://gitlab.synchro.net/main/sbbs/-/commit/ac4a967c92244c8c12ac6398
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix Win32 console (and likely curses) crash on connect

    RIP initialization was trying to obtain a lock that only exists when
    using a bitmap console. Don't allow RIP to be enabled, and don't
    perform the operations that require the lock when the CONIO_OPT_SET_PIXEL ciolib option is not set.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Wednesday, August 02, 2023 22:57:40
    https://gitlab.synchro.net/main/sbbs/-/commit/236064ee462ca2be3b81cd77
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Properly read extended keys in non-graphics builds.

    Fixes SF issue 118

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Thursday, February 15, 2024 15:04:14
    https://gitlab.synchro.net/main/sbbs/-/commit/ec4a8c96c24994cb157ac491
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Move fiddling with rip.x_max and rip.y_max out of the vstat mutex.

    Apparently, fiddling with them in there "strongly implies" to Coverity
    that vstatlock needs to be held to access them, and it's good form
    to have the lock held for the least span possible.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Friday, March 22, 2024 02:16:53
    https://gitlab.synchro.net/main/sbbs/-/commit/4ed27ca97ae7f21f56d038b6
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Use safer string things...

    We really need strlcpy()/strlcat() wrappers in xpdev.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Friday, September 27, 2024 23:15:55
    https://gitlab.synchro.net/main/sbbs/-/commit/75008b3055306224ca0272cc
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix a couple use-after-free bugs in RIP

    This likely is the cause of bug 140.

    The first one, the LCF flag is copied out of the cterm struct
    after cterm_end() is called (which frees the struct). Copy moved
    to before cterm_end().

    The second one is trickier... it's executing the commands in a mouse
    button, and one of the commands is to delete all the mouse button
    commands. This ends up free()ing the string that's currently being
    parsed while it's being parsed. We now use a strdup() of the string
    which we free at the end of the function.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Friday, September 27, 2024 23:40:23
    https://gitlab.synchro.net/main/sbbs/-/commit/9fefe60690d8c378c13ccd96
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix builds that don't support any graphics.

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Sunday, February 22, 2026 11:38:19
    https://gitlab.synchro.net/main/sbbs/-/commit/f73b6e394587333ffd76521c
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Parse RIP_NO_MORE in RIP_STATE_PIPE, not RIP_STATE_CMD

    This will likely screw up on !|0#, but hopefully nobody has ever done
    that.

    Fixes ticket 218

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Monday, February 23, 2026 16:17:52
    https://gitlab.synchro.net/main/sbbs/-/commit/27e6a20fa2b8661b46668d88
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix new potential RIP crash

    Would potentially use a negative length after a |#

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Sunday, March 15, 2026 01:06:05
    https://gitlab.synchro.net/main/sbbs/-/commit/bb2238f684befe43deb34cea
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix heap buffer overflows in ripper.c RIPscrip command handling

    Four strcat() calls append RIPscrip arguments (from the remote server)
    to cache_path[MAX_PATH+1] without checking whether the result fits.
    The path-traversal guards reject "..", "/", and "\" but do not limit
    length. A long filename from a malicious RIPscrip server overflows
    the buffer.

    Changed to strlcat(cache_path, ..., sizeof(cache_path)) at all four
    sites: file-query (&args[6]), icon-load (&args[9] + ".ICN"), and
    icon-save (&args[1]). The existing SkyPix download path already had
    a strlen() guard and was not affected.

    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Sunday, March 15, 2026 14:09:13
    https://gitlab.synchro.net/main/sbbs/-/commit/2054747bb2823818ea5d1a0d
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix multiple ripper.c security and correctness bugs

    Security fixes:
    - Add path traversal checks (..//\) to LOAD_ICON, WRITE_ICON,
    ENTER_BLOCK_MODE, and font file loading
    - Add overflow guard for ICN pixel buffer allocation (32-bit)
    - Clamp viewport coordinates to world frame dimensions
    - Cap handle_command_str recursion depth to 64
    - Fix sprintf stack overflow in FILE_QUERY case 4 (snprintf)
    - Guard parse_string NULL return in do_rip_command
    - Guard strdup NULL return in bicmp

    Correctness fixes:
    - Remove incorrect viewport offsets from EXTENDED_TEXT_WINDOW (v2+)
    - Fix MOUSE hot field y2 using viewport.sx instead of .sy
    - Fix POLY_LINE y1 init using x_dim instead of y_dim
    - Fix conn_send length for FILE_QUERY \r\n responses (2 -> 3)
    - Fix draw_pixel XOR mode memory leak (freepixels before return)
    - Fix ansi_only() missing break before fall-through
    - Reject zero dimensions in SET_WORLD_FRAME
    - Clamp do_popup dimensions to screen size
    - Fix init_rip_ver memory leaks (mouse fields, clipboard, scb)
    - Add Amiga font file validation at load time
    - Add per-case argc checks in do_skypix
    - Handle realloc failure in reinit_screen gracefully
    - Add NULL checks for getpixels in set_line and flood fill

    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Sunday, March 15, 2026 22:51:39
    https://gitlab.synchro.net/main/sbbs/-/commit/5ca54e09393c1068e32e599f
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix draw_button() off-by-one errors for exclusive box coordinates

    box.x2/y2 are exclusive (one past end), so:
    - Sunken border right/bottom highlight lines drew one pixel too far out
    - Recessed border width/height were one pixel too large, pushing the
    outer border off-screen for full-width buttons

    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Tuesday, March 17, 2026 11:59:17
    https://gitlab.synchro.net/main/sbbs/-/commit/e9b4206eb16d93e29dd10df7
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Replace dead argc check with malloc NULL check in do_skypix()

    The argc < 1 guard was unreachable because the counting loop always
    increments argc at least once. Replace it with a NULL check on the
    malloc() result, which was the actual missing guard.
    (Coverity CID 501977)

    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Tuesday, March 17, 2026 11:59:17
    https://gitlab.synchro.net/main/sbbs/-/commit/7350fd498615bb280d1244dd
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Check fread() return when loading Amiga font in do_skypix()

    A short read would leave amiga_font partially uninitialized before
    the byte-swapping and offset validation that follows. Matches the
    existing fread check for the font list file earlier in the same
    function. (Coverity CID 501980)

    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¨@VERT to Git commit to main/sbbs/master on Saturday, March 21, 2026 19:53:02
    https://gitlab.synchro.net/main/sbbs/-/commit/6cce9286f030bf47bd57e6d5
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix three |# (RIP_NO_MORE) parsing bugs in parse_rip()

    Bug reported by NightFox, who should really open bug reports on
    SourceForge instead of making people chase things down secondhand.

    1. Stale '!' rendered when |# follows non-RIP text

    When non-RIP bytes precede '!' in the same buffer (e.g. the common
    case of \n\r or \r\n line endings before a RIP line), rip_start is
    non-zero. The |# handler called handle_rip_line() which took its
    first branch: deferring the RIP data to pending, truncating blen to
    rip_start, and returning false. But the handler unconditionally ran
    rip_start = pos + 1, which now exceeded blen. At the end of
    parse_rip(), rip_start <= maxlen was true but rip_start > blen, so
    buffer_rip was skipped but rip_start was returned as the output
    length Ä reading the stale '!' byte from the physically-uncleared
    buffer position. Commit 27e6a20f added the rip_start <= blen guard
    to prevent a crash but did not fix the data leak.

    Fix: check handle_rip_line()'s return value. When it returns false
    (deferred), don't modify rip_start. When it returns true (processed
    immediately), do the post-processing as before. Also pass
    RIP_STATE_BANG instead of RIP_STATE_CMD since both paths want BANG
    state after |#.

    2. |# must flush immediately, even when deferred

    The entire purpose of the |# special handling (added in 93e05beb)
    is to flush RIP commands without waiting for a line terminator.
    When handle_rip_line() defers (returns false), the RIP data sits
    in pending unprocessed until the next parse_rip() call Ä defeating
    the flush semantics. This matters for interactive commands like
    the NY2008 popup (|1000) that block waiting for user input: the
    popup wouldn't appear until after the next data arrived.

    Fix: when handle_rip_line() returns false, process pending
    immediately via do_rip_string() and reset newstate to FLUSHING
    so the next flush call knows there's nothing left to process.

    3. |# bytes leak as visible text from moredata

    When handle_rip_line()'s first branch defers RIP data, remaining
    bytes after |# are saved to moredata. On the next parse_rip()
    call, the flush path processes pending and switches to moredata.
    But handle_rip_line() unconditionally resets rip_start to the
    sentinel (maxlen+1), even though the restored state (BANG) means
    the moredata buffer is entirely RIP data. With rip_start as
    sentinel, the |# handler's handle_rip_line() call took the second
    path with remove=0, failing to remove the |# bytes from the
    buffer. They were then returned to the caller as visible text.

    Fix: after the flush path switches to moredata, re-check the
    restored state. If it's not BOL/MOL (i.e. still inside a RIP
    sequence), reset rip_start to 0.

    4. Allow '!' to start new RIP sequence after |#

    Per the spec, |# means "end of RIPscrip scene." Testing against
    RIPterm (reference implementation) confirms that '!' after |# on
    the same line starts a new RIP sequence. SyncTERM's BANG state
    only accepted '|', sending '!' to unrip_line -> MOL where it was
    rejected as a RIP start character.

    Fix: accept '!', '\x01', and '\x02' in RIP_STATE_BANG, updating
    rip_start and staying in BANG. This matches RIPterm's behavior
    where both |#|#|# (repeated NO_MORE) and |#!|... (new sequence)
    work on the same line.

    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¨@VERT to Git commit to main/sbbs/master on Saturday, March 21, 2026 21:02:24
    https://gitlab.synchro.net/main/sbbs/-/commit/c438d8a8d55fcc325c3911af
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Restrict post-|# bang acceptance to new RIP_STATE_NO_MORE state

    The '!' acceptance added in 6cce9286f0 was in RIP_STATE_BANG, which
    is also entered from BOL when the initial '!' is seen. This caused
    "!!|c04|..." to treat the second '!' as a new RIP sequence start
    instead of falling out of RIP parsing Ä the entire line should
    display as literal text since '!!' is not a valid RIP start.

    Add RIP_STATE_NO_MORE, entered only by |# (RIP_NO_MORE). Only this
    state accepts '!'/CTRL-A/CTRL-B for starting a new RIP sequence.
    RIP_STATE_BANG reverts to only accepting '|'.

    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net