43 lines
1.5 KiB
Diff
43 lines
1.5 KiB
Diff
The code in tw_str_add() attempts to be efficient by sliding the
|
|
pointers to reallocated elements within the string list to the new
|
|
virtual address using a computed offset between buffers.
|
|
|
|
For bounds checked pointers, this produces out of bounds pointers.
|
|
Additionally, the subtraction of pointers to different objects is
|
|
undefined in C so a sufficently "smart" compiler could chose to do
|
|
anything here since in knows the objects are different.
|
|
|
|
We need this change on our research platform to avoid crashes in tab
|
|
completion.
|
|
|
|
-- Brooks
|
|
|
|
commit 85489fafb8fd908ba307df0c774e1706c19cd4b8
|
|
Author: Brooks Davis <brooks@one-eyed-alien.net>
|
|
Date: Wed Dec 7 01:04:14 2016 +0000
|
|
|
|
Fix a pointer provenance error in list extension.
|
|
|
|
When updating pointers to a buffer of linked list elements, derive
|
|
the new pointers from the new buffer rather than updating the old pointers
|
|
to the new virtual memory address of the buffer (resulting in out of bounds
|
|
values).
|
|
|
|
---
|
|
tw.init.c | 3 +--
|
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
|
--- tw.init.c
|
|
+++ tw.init.c 2016-12-07 15:27:20.024397004 +0000
|
|
@@ -125,9 +125,8 @@ tw_str_add(stringlist_t *sl, size_t len)
|
|
sl->buff = xrealloc(sl->buff, sl->tbuff * sizeof(Char));
|
|
/* Re-thread the new pointer list, if changed */
|
|
if (ptr != NULL && ptr != sl->buff) {
|
|
- intptr_t offs = sl->buff - ptr;
|
|
for (i = 0; i < sl->nlist; i++)
|
|
- sl->list[i] += offs;
|
|
+ sl->list[i] = sl->buff + (sl->list[i] - ptr);
|
|
}
|
|
disabled_cleanup(&pintr_disabled);
|
|
}
|