59 lines
1.6 KiB
Diff
59 lines
1.6 KiB
Diff
From edc602651c506aeeb60544b55534dd1722a340d3 Mon Sep 17 00:00:00 2001
|
|
From: Rene Kita <mail@rkta.de>
|
|
Date: Thu, 13 Jul 2023 07:50:26 +0200
|
|
Subject: [PATCH] Fix OOB access due to multiple backspaces
|
|
|
|
Commit 419ca82d57 (Fix m17n backspace handling causes out-of-bounds
|
|
write in checkType) introduced an incomplete fix.
|
|
|
|
In function checkType we store the length of the previous multi-char
|
|
character in a buffer plens_buffer with pointer plens pointing to the
|
|
current position inside the buffer. When encountering a backspace plens
|
|
is set to the previous position without a bounds check. This will lead
|
|
to plens being out of bounds if we get more backspaces than we have
|
|
processed multi-char characters before.
|
|
|
|
If we are at the beginning of the buffer do not decrement and set plen
|
|
(the current length) to 0.
|
|
|
|
This also fixes GH Issue #270 [BUG] Out of bound read in Strnew_size ,
|
|
Str.c:61
|
|
|
|
If the above explanation does sound weird it's because I didn't fully
|
|
grok that function. :-)
|
|
---
|
|
etc.c | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/etc.c b/etc.c
|
|
index 128717b..b566151 100644
|
|
--- a/etc.c
|
|
+++ b/etc.c
|
|
@@ -393,7 +393,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
|
|
if (color)
|
|
color -= plen;
|
|
#endif
|
|
- plen = *(--plens);
|
|
+ if (plens == plens_buffer)
|
|
+ plen = 0;
|
|
+ else
|
|
+ plen = *(--plens);
|
|
str += 2;
|
|
}
|
|
}
|
|
@@ -419,7 +422,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
|
|
if (color)
|
|
color -= plen;
|
|
#endif
|
|
- plen = *(--plens);
|
|
+ if (plens == plens_buffer)
|
|
+ plen = 0;
|
|
+ else
|
|
+ plen = *(--plens);
|
|
str++;
|
|
}
|
|
#else
|
|
--
|
|
2.41.0
|
|
|