storm/w3m
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix OOB access due to multiple backspaces

Browse Source 
Commit 419ca82d57 (Fix m17n backspace handling causes out-of-bounds
write in checkType) introduced an incomplete fix.

In function checkType we store the length of the previous multi-char
character in a buffer plens_buffer with pointer plens pointing to the
current position inside the buffer. When encountering a backspace plens
is set to the previous position without a bounds check. This will lead
to plens being out of bounds if we get more backspaces than we have
processed multi-char characters before.

If we are at the beginning of the buffer do not decrement and set plen
(the current length) to 0.

This also fixes GH Issue #270 [BUG] Out of bound read in Strnew_size ,
Str.c:61

If the above explanation does sound weird it's because I didn't fully
grok that function. :-)
This commit is contained in:
Rene Kita
2023-07-13 07:50:26 +02:00
parent 93ad5ee7da
commit edc602651c
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
etc.c
View File

@@ -393,6 +393,9 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
if (color) if (color)
color -= plen; color -= plen;
#endif #endif
if (plens == plens_buffer)
plen = 0;
else
plen = *(--plens); plen = *(--plens);
str += 2; str += 2;
} }
@@ -419,6 +422,9 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)
if (color) if (color)
color -= plen; color -= plen;
#endif #endif
if (plens == plens_buffer)
plen = 0;
else
plen = *(--plens); plen = *(--plens);
str++; str++;
} }