Subj : src/sbbs3/getstr.cpp main.cpp sbbs.h
To   : Git commit to main/sbbs/master
From : Rob Swindell (on ChromeOS)
Date : Sat Apr 08 2023 09:17 pm

https://gitlab.synchro.net/main/sbbs/-/commit/131f9d7cc0c6ae9805207e9b
Modified Files:
	src/sbbs3/getstr.cpp main.cpp sbbs.h
Log Message:
Fix 20+ year old bug that allowed getstr(... K_WRAP) to overflow wordwrap buf

The sbbs_t::wordwrap[] buffer was 81 characters (80 printable characters, plus
NUL terminator) and sbbs_t.getstr(), when used with the K_WRAP mode flag could
potentially write more than 81 characters to this buffer (e.g. when using a
wider than 80 column terminal and writing a message with the internal line
editor which calls sbbs_t::getstr(... K_WRAP)) - would corrupt sbbs_t members
after wordwrap[], which included pointers that would be freed in the sbbs_t
destructor (~sbbs_t) and subsequently page/segfault as seen in issue #545.

This change increases the wordwrap buffer to likely twice the same needed
(maximum columns + NUL terminator) and adds wordwrap bounds checking to
sbbs_t::getstr().

There were comments indicating crash sightings in the sbsb_t destructor going
back to 2002, so this commit removes those comments.

Thanks to Nelgin for providing the gdb dump details ('print *this') that was
the clue needed to reach the root-cause determination.

This fixes issue #545.

.