tacme: fix buffer overflow introduced in parsetag refactor - plan9port - [fork] Plan 9 from user space
(HTM) git clone git://src.adamsgaard.dk/plan9port
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit 573169dd88ac5ca0cf75d09464dddba398e83011
(DIR) parent 125cfe1c0d29541135eac6da676ed9b48930e38b
(HTM) Author: Russ Cox <rsc@swtch.com>
Date: Mon, 13 Jan 2020 23:17:16 -0500
acme: fix buffer overflow introduced in parsetag refactor
Diffstat:
M src/cmd/acme/fns.h | 2 +-
M src/cmd/acme/look.c | 2 +-
M src/cmd/acme/wind.c | 12 ++++++------
3 files changed, 8 insertions(+), 8 deletions(-)
---
(DIR) diff --git a/src/cmd/acme/fns.h b/src/cmd/acme/fns.h
t@@ -95,7 +95,7 @@ void flushwarnings(void);
void startplumbing(void);
long nlcount(Text*, long, long, long*);
long nlcounttopos(Text*, long, long, long);
-Rune* parsetag(Window*, int*);
+Rune* parsetag(Window*, int, int*);
Runestr runestr(Rune*, uint);
Range range(int, int);
(DIR) diff --git a/src/cmd/acme/look.c b/src/cmd/acme/look.c
t@@ -490,7 +490,7 @@ dirname(Text *t, Rune *r, int n)
goto Rescue;
if(n>=1 && r[0]=='/')
goto Rescue;
- b = parsetag(t->w, &i);
+ b = parsetag(t->w, n, &i);
slash = -1;
for(i--; i >= 0; i--){
if(b[i] == '/'){
(DIR) diff --git a/src/cmd/acme/wind.c b/src/cmd/acme/wind.c
t@@ -113,7 +113,7 @@ delrunepos(Window *w)
Rune *r;
int i;
- r = parsetag(w, &i);
+ r = parsetag(w, 0, &i);
free(r);
i += 2;
if(i >= w->tag.file->b.nc)
t@@ -416,7 +416,7 @@ wincleartag(Window *w)
/* w must be committed */
n = w->tag.file->b.nc;
- r = parsetag(w, &i);
+ r = parsetag(w, 0, &i);
for(; i<n; i++)
if(r[i] == '|')
break;
t@@ -434,7 +434,7 @@ wincleartag(Window *w)
}
Rune*
-parsetag(Window *w, int *len)
+parsetag(Window *w, int extra, int *len)
{
static Rune Ldelsnarf[] = { ' ', 'D', 'e', 'l', ' ', 'S', 'n', 'a', 'r', 'f', 0 };
static Rune Lspacepipe[] = { ' ', '|', 0 };
t@@ -442,7 +442,7 @@ parsetag(Window *w, int *len)
int i;
Rune *r, *p, *pipe;
- r = runemalloc(w->tag.file->b.nc+1);
+ r = runemalloc(w->tag.file->b.nc+extra+1);
bufread(&w->tag.file->b, 0, r, w->tag.file->b.nc);
r[w->tag.file->b.nc] = '\0';
t@@ -483,7 +483,7 @@ winsettag1(Window *w)
/* there are races that get us here with stuff in the tag cache, so we take extra care to sync it */
if(w->tag.ncache!=0 || w->tag.file->mod)
wincommit(w, &w->tag); /* check file name; also guarantees we can modify tag contents */
- old = parsetag(w, &i);
+ old = parsetag(w, 0, &i);
if(runeeq(old, i, w->body.file->name, w->body.file->nname) == FALSE){
textdelete(&w->tag, 0, i, TRUE);
textinsert(&w->tag, 0, w->body.file->name, w->body.file->nname, TRUE);
t@@ -604,7 +604,7 @@ wincommit(Window *w, Text *t)
textcommit(f->text[i], FALSE); /* no-op for t */
if(t->what == Body)
return;
- r = parsetag(w, &i);
+ r = parsetag(w, 0, &i);
if(runeeq(r, i, w->body.file->name, w->body.file->nname) == FALSE){
seq++;
filemark(w->body.file);