Re: [dev] [sbase] sha512-224sum: stack-buffer-overflow

From: Steffen Nurpmeso <steffen_AT_sdaoden.eu>
Date: Mon, 03 Nov 2025 19:23:20 +0100

Страхиња Радић wrote in
 <xota56vyn6cmpbgyjhuh776b2iiqdwm7r5h2wlko3rbieqohos_AT_kjxt67tigmx3>:
 |Дана 25/11/03 12:21PM, Roberto E. Vargas Caballero написа:
 |> I think the problem comes more from the fact that the code
 |> is not ready for empty strings and it does something like
 |> strlen(s) - 1 to remove the eos and then it is fucked.
 |
 |If that is the case, then maybe assert(3) would help in future such
 |cases. Granted, it adds LoC, but makes these kind of errors easier to
 |pinpoint.

personal opinion: assert should not be in shipout code, and if
0 is a legitimate thing (anything is legitimate if data comes from
a user), then assert is wrong per se.

 --End of <xota56vyn6cmpbgyjhuh776b2iiqdwm7r5h2wlko3rbieqohos_AT_kjxt67tigmx3>

Having said that, my beloved BSD-style Linux Distribution CRUX
(there is only ever Alpine and CRUX for me; void i would need to
recheck, but what did they do to the project founder, who did that
great -- afaik -- package manager; TinyCore was not for me) just
introduced via notify email a dependency on rust today! Pretty
sure that now meanders, now that it is in, and the little overlay
i will introduce will soon no longer be manageable. I need it for
gdk-pixbuf which is needed by gtk3 which is needed by firefox-bin
(Mozilla compiled binary). I have now downloaded the tor browser,
but it seems it also needs gtk environment back and forth. What
a mess. I just cannot live without a browser that can access
"those things", once in a while.

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Received on Mon Nov 03 2025 - 19:23:20 CET