2009-01-25 22:16 UTC+0100 Viktor Szakats (harbour.01 syenar hu)

* source/rtl/philes.c
    ! FWRITE(): Fixed accessing past the string buffer (thus 
      causing potential GPF and a huge security hole) when
      the passed length is greate than the lenght of the string.
      Very old bug. In fact CA-Cl*pper suffers from the same 
      problem, and behavior for such case is not documented.
      Harbour will ignore the length parameter (thus writing 
      the whole passed string), if the length is invalid.

harbour/ChangeLog

@@ -8,6 +8,16 @@
    2008-12-31 13:59 UTC+0100 Foo Bar (foo.bar foobar.org)
 */
 
+2009-01-25 22:16 UTC+0100 Viktor Szakats (harbour.01 syenar hu)
+  * source/rtl/philes.c
+    ! FWRITE(): Fixed accessing past the string buffer (thus
+      causing potential GPF and a huge security hole) when
+      the passed length is greate than the lenght of the string.
+      Very old bug. In fact CA-Cl*pper suffers from the same
+      problem, and behavior for such case is not documented.
+      Harbour will ignore the length parameter (thus writing
+      the whole passed string), if the length is invalid.
+
 2009-01-25 12:30 UTC+0100 Francesco Saverio Giudice (info/at/fsgiudice.com)
   * harbour/contrib/examples/uhttpd/uhttpd.prg
     + Added hb_Inet*() version

harbour/source/rtl/philes.c

@@ -152,9 +152,18 @@ HB_FUNC( FWRITE )
 
    if( ISNUM( 1 ) && ISCHAR( 2 ) )
    {
+      ULONG nLen = hb_parclen( 2 );
+
+      if( ISNUM( 3 ) )
+      {
+         ULONG nWrite = ( ULONG ) hb_parnl( 3 );
+         if( nWrite < nLen )
+            nLen = nWrite;
+      }
+
       hb_retnl( hb_fsWriteLarge( hb_numToHandle( hb_parnint( 1 ) ),
                                  ( BYTE * ) hb_parc( 2 ),
-                                 ISNUM( 3 ) ? ( ULONG ) hb_parnl( 3 ) : hb_parclen( 2 ) ) );
+                                 nLen ) );
       uiError = hb_fsError();
    }
    else