https://gitlab.synchro.net/main/sbbs/-/commit/75008b3055306224ca0272cc
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix a couple use-after-free bugs in RIP

This likely is the cause of bug 140.

The first one, the LCF flag is copied out of the cterm struct
after cterm_end() is called (which frees the struct). Copy moved
to before cterm_end().

The second one is trickier... it's executing the commands in a mouse
button, and one of the commands is to delete all the mouse button
commands. This ends up free()ing the string that's currently being
parsed while it's being parsed. We now use a strdup() of the string
which we free at the end of the function.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/9fefe60690d8c378c13ccd96
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix builds that don't support any graphics.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/1a74630f9654033b92b0fe28
Modified Files:
src/syncterm/ripper.c
Log Message:
When RIP changes the vstat mode, also change the cursor

When changing between 8 and 16 row fonts in RIP mode, the cursor
start and end was left for the old font size... 16 -> 8 would leave
the cursor one line below the current position, and 8 -> 16 would
leave the cursor in the middle of the cell.

This hacks the vstat deeper to fix up the cursor as well.

Reported by skipperdoodle1947.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/0a78d39dd2e3389140dff826
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix handling of broken CRLF pairs in RIP mode

If telnet binary mode is enabled (the new default), and a CR and LF
come in on separate recv() calls, the RIP parser would stop at the
CR, and pass the LF back to the ANSI parser.

Ah, dura-bbs.net, always pushing the limits.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/9b3aa58cf998d1c1015560b3
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix up previous commit

RIPtel reset to the font configured by the user, not the current
font. Do the same here.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/d48528a74ff6605ef1f7aee0
Modified Files:
src/syncterm/ripper.c
Log Message:
Just because we're *compiled* with graphics support doesn't mean
we support them in the current mode.

Fixes issue 175

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/ea4f8b4efe0a8e5e837398c5
Modified Files:
src/syncterm/ripper.c
Log Message:
Eliminate a couple more Coverity issues via temporary variables.

This gets the assignment to the rip.* members out of the lock so
Coverity doesn't assume they need to be protected by the lock.

It should compile to the same thing.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/6f8678eb9e0d40dd72a0897e
Modified Files:
src/syncterm/ripper.c
Log Message:
"Range check" RIP ICN width/height to untaint them.

This is purely to shut up Coverity since there's no way the value
could be outside the range.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a98f8a44c3429b19fbef6803
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix a memory leak and an allowed out-of-bounds access.

Thanks Coverity!

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/444fecaf4af203b773ca5833
Modified Files:
src/syncterm/ripper.c
Log Message:
Add unreachable code

Coverity thinks it can do the default case.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a64e68143b0c192a44a840ff
Modified Files:
src/syncterm/ripper.c
Log Message:
Do the lock assertion thing in ripper.c too.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/f41de9a1f41359c845de5371
Modified Files:
src/syncterm/ripper.c
Log Message:
Now that vstat.vmem has more stuff, ripper needs to hack up more.

Fixes assertion/crash in 91-column mode (used in LORD intro screens)

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/2aac6ec016aa3629c643e019
Modified Files:
src/syncterm/ripper.c
Log Message:
Initialize the *new* memory, not the old stuff.

Fixes various memory corruptions with RIP

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/c464596b33610cc1683b69fd
Modified Files:
src/syncterm/ripper.c
Log Message:
Work around what appears to be an integer promotion issue

On an aarch64 Chromebook running gcc 12.2.0, these would wrap in
weird ways causing vector fonts to be positioned incorrectly.

It managed to say that (25 - -7) * 4 / 3 == -168
This casting dance appears to resolve the issue.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/a97b1adad05bc8aec50278bf
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix possibly undefined value in ellipse.

Top-right quadrant doesn't need a quadrant angle, the angle is what
we want already.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/09b2157307bcfb080f0357a8
Modified Files:
src/syncterm/ripper.c
Log Message:
Attempt to silence false positive warning.

The warning suggests that x1 and y1 may be uninitialized in the i > 0
block, but that's not really possible...

It's too bad the warning doesn't clarify. It's also weird that the
warning was in the draw_line() call and not in the lines above that (incorrectly) compared them with -1.

Fix that check while we're here.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/da21613cf1df6e208cf050a1
Modified Files:
src/syncterm/ripper.c
Log Message:
"Fix" CID 487623

This "defect" is incorrect, but meh.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/df3049a041766b8d6e2b132c
Modified Files:
src/syncterm/ripper.c
Log Message:
Implement the RIP button explode flag

Fix invert function, and take 50-100ms to "explode" the button.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/bf88580858251dcb227a658c
Modified Files:
src/syncterm/ripper.c
Log Message:
Cleanup last commit

We don't need to save/restore all this stuff or leak memory.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/07f235bb8481a2696857e937
Modified Files:
src/syncterm/ripper.c
Log Message:
Handle RIP "ANSI extensions" even more better

This change pulls in the entire sequence if it's available, which
allows packet boundaries anywhere at all.

More fixes for feature request 110.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/7714bcbe5262a9359abccaa9
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix typo

The final char we're looking for here is !, not 1.
Also, suppress a new Coverity false-positive (CID 487652) while we're
here.

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/7a35f739a5182bb9c396c91b
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix the Coverity suppression maybe?

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/f73b6e394587333ffd76521c
Modified Files:
src/syncterm/ripper.c
Log Message:
Parse RIP_NO_MORE in RIP_STATE_PIPE, not RIP_STATE_CMD

This will likely screw up on !|0#, but hopefully nobody has ever done
that.

Fixes ticket 218

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/27e6a20fa2b8661b46668d88
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix new potential RIP crash

Would potentially use a negative length after a |#

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/bb2238f684befe43deb34cea
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix heap buffer overflows in ripper.c RIPscrip command handling

Four strcat() calls append RIPscrip arguments (from the remote server)
to cache_path[MAX_PATH+1] without checking whether the result fits.
The path-traversal guards reject "..", "/", and "\" but do not limit
length. A long filename from a malicious RIPscrip server overflows
the buffer.

Changed to strlcat(cache_path, ..., sizeof(cache_path)) at all four
sites: file-query (&args[6]), icon-load (&args[9] + ".ICN"), and
icon-save (&args[1]). The existing SkyPix download path already had
a strlen() guard and was not affected.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/2054747bb2823818ea5d1a0d
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix multiple ripper.c security and correctness bugs

Security fixes:
- Add path traversal checks (..//\) to LOAD_ICON, WRITE_ICON,
ENTER_BLOCK_MODE, and font file loading
- Add overflow guard for ICN pixel buffer allocation (32-bit)
- Clamp viewport coordinates to world frame dimensions
- Cap handle_command_str recursion depth to 64
- Fix sprintf stack overflow in FILE_QUERY case 4 (snprintf)
- Guard parse_string NULL return in do_rip_command
- Guard strdup NULL return in bicmp

Correctness fixes:
- Remove incorrect viewport offsets from EXTENDED_TEXT_WINDOW (v2+)
- Fix MOUSE hot field y2 using viewport.sx instead of .sy
- Fix POLY_LINE y1 init using x_dim instead of y_dim
- Fix conn_send length for FILE_QUERY \r\n responses (2 -> 3)
- Fix draw_pixel XOR mode memory leak (freepixels before return)
- Fix ansi_only() missing break before fall-through
- Reject zero dimensions in SET_WORLD_FRAME
- Clamp do_popup dimensions to screen size
- Fix init_rip_ver memory leaks (mouse fields, clipboard, scb)
- Add Amiga font file validation at load time
- Add per-case argc checks in do_skypix
- Handle realloc failure in reinit_screen gracefully
- Add NULL checks for getpixels in set_line and flood fill

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

https://gitlab.synchro.net/main/sbbs/-/commit/5ca54e09393c1068e32e599f
Modified Files:
src/syncterm/ripper.c
Log Message:
Fix draw_button() off-by-one errors for exclusive box coordinates

box.x2/y2 are exclusive (one past end), so:
- Sunken border right/bottom highlight lines drew one pixel too far out
- Recessed border width/height were one pixel too large, pushing the
outer border off-screen for full-width buttons

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net