From 3fb63e0f0b257282e824cb734a3bbdea436ac584 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <harbour@syenar.net>
Date: Sun, 25 Jan 2009 21:19:17 +0000
Subject: [PATCH] 2009-01-25 22:16 UTC+0100 Viktor Szakats (harbour.01 syenar
 hu)   * source/rtl/philes.c     ! FWRITE(): Fixed accessing past the string
 buffer (thus       causing potential GPF and a huge security hole) when      
 the passed length is greate than the lenght of the string.       Very old
 bug. In fact CA-Cl*pper suffers from the same       problem, and behavior for
 such case is not documented.       Harbour will ignore the length parameter
 (thus writing       the whole passed string), if the length is invalid.

---
 harbour/ChangeLog           | 10 ++++++++++
 harbour/source/rtl/philes.c | 11 ++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/harbour/ChangeLog b/harbour/ChangeLog
index de81269506..8e2f087f4a 100644
--- a/harbour/ChangeLog
+++ b/harbour/ChangeLog
@@ -8,6 +8,16 @@
    2008-12-31 13:59 UTC+0100 Foo Bar (foo.bar foobar.org)
 */
 
+2009-01-25 22:16 UTC+0100 Viktor Szakats (harbour.01 syenar hu)
+  * source/rtl/philes.c
+    ! FWRITE(): Fixed accessing past the string buffer (thus
+      causing potential GPF and a huge security hole) when
+      the passed length is greate than the lenght of the string.
+      Very old bug. In fact CA-Cl*pper suffers from the same
+      problem, and behavior for such case is not documented.
+      Harbour will ignore the length parameter (thus writing
+      the whole passed string), if the length is invalid.
+
 2009-01-25 12:30 UTC+0100 Francesco Saverio Giudice (info/at/fsgiudice.com)
   * harbour/contrib/examples/uhttpd/uhttpd.prg
     + Added hb_Inet*() version
diff --git a/harbour/source/rtl/philes.c b/harbour/source/rtl/philes.c
index 6c1450f68c..6271cc8996 100644
--- a/harbour/source/rtl/philes.c
+++ b/harbour/source/rtl/philes.c
@@ -152,9 +152,18 @@ HB_FUNC( FWRITE )
 
    if( ISNUM( 1 ) && ISCHAR( 2 ) )
    {
+      ULONG nLen = hb_parclen( 2 );
+
+      if( ISNUM( 3 ) )
+      {
+         ULONG nWrite = ( ULONG ) hb_parnl( 3 );
+         if( nWrite < nLen )
+            nLen = nWrite;
+      }
+
       hb_retnl( hb_fsWriteLarge( hb_numToHandle( hb_parnint( 1 ) ),
                                  ( BYTE * ) hb_parc( 2 ),
-                                 ISNUM( 3 ) ? ( ULONG ) hb_parnl( 3 ) : hb_parclen( 2 ) ) );
+                                 nLen ) );
       uiError = hb_fsError();
    }
    else