aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorRuss Cox <rsc@swtch.com>2020-01-13 23:17:16 -0500
committerRuss Cox <rsc@swtch.com>2020-01-13 23:17:39 -0500
commit573169dd88ac5ca0cf75d09464dddba398e83011 (patch)
tree945bd608a8e1076d21d81b5a440ac026c041b3ff /src
parent125cfe1c0d29541135eac6da676ed9b48930e38b (diff)
downloadplan9port-573169dd88ac5ca0cf75d09464dddba398e83011.tar.gz
plan9port-573169dd88ac5ca0cf75d09464dddba398e83011.tar.bz2
plan9port-573169dd88ac5ca0cf75d09464dddba398e83011.zip
acme: fix buffer overflow introduced in parsetag refactor
Diffstat (limited to 'src')
-rw-r--r--src/cmd/acme/fns.h2
-rw-r--r--src/cmd/acme/look.c2
-rw-r--r--src/cmd/acme/wind.c12
3 files changed, 8 insertions, 8 deletions
diff --git a/src/cmd/acme/fns.h b/src/cmd/acme/fns.h
index fece1dbd..c0339c23 100644
--- a/src/cmd/acme/fns.h
+++ b/src/cmd/acme/fns.h
@@ -95,7 +95,7 @@ void flushwarnings(void);
void startplumbing(void);
long nlcount(Text*, long, long, long*);
long nlcounttopos(Text*, long, long, long);
-Rune* parsetag(Window*, int*);
+Rune* parsetag(Window*, int, int*);
Runestr runestr(Rune*, uint);
Range range(int, int);
diff --git a/src/cmd/acme/look.c b/src/cmd/acme/look.c
index bde8b2c9..35667c6c 100644
--- a/src/cmd/acme/look.c
+++ b/src/cmd/acme/look.c
@@ -490,7 +490,7 @@ dirname(Text *t, Rune *r, int n)
goto Rescue;
if(n>=1 && r[0]=='/')
goto Rescue;
- b = parsetag(t->w, &i);
+ b = parsetag(t->w, n, &i);
slash = -1;
for(i--; i >= 0; i--){
if(b[i] == '/'){
diff --git a/src/cmd/acme/wind.c b/src/cmd/acme/wind.c
index 2782dbc7..0cba5920 100644
--- a/src/cmd/acme/wind.c
+++ b/src/cmd/acme/wind.c
@@ -113,7 +113,7 @@ delrunepos(Window *w)
Rune *r;
int i;
- r = parsetag(w, &i);
+ r = parsetag(w, 0, &i);
free(r);
i += 2;
if(i >= w->tag.file->b.nc)
@@ -416,7 +416,7 @@ wincleartag(Window *w)
/* w must be committed */
n = w->tag.file->b.nc;
- r = parsetag(w, &i);
+ r = parsetag(w, 0, &i);
for(; i<n; i++)
if(r[i] == '|')
break;
@@ -434,7 +434,7 @@ wincleartag(Window *w)
}
Rune*
-parsetag(Window *w, int *len)
+parsetag(Window *w, int extra, int *len)
{
static Rune Ldelsnarf[] = { ' ', 'D', 'e', 'l', ' ', 'S', 'n', 'a', 'r', 'f', 0 };
static Rune Lspacepipe[] = { ' ', '|', 0 };
@@ -442,7 +442,7 @@ parsetag(Window *w, int *len)
int i;
Rune *r, *p, *pipe;
- r = runemalloc(w->tag.file->b.nc+1);
+ r = runemalloc(w->tag.file->b.nc+extra+1);
bufread(&w->tag.file->b, 0, r, w->tag.file->b.nc);
r[w->tag.file->b.nc] = '\0';
@@ -483,7 +483,7 @@ winsettag1(Window *w)
/* there are races that get us here with stuff in the tag cache, so we take extra care to sync it */
if(w->tag.ncache!=0 || w->tag.file->mod)
wincommit(w, &w->tag); /* check file name; also guarantees we can modify tag contents */
- old = parsetag(w, &i);
+ old = parsetag(w, 0, &i);
if(runeeq(old, i, w->body.file->name, w->body.file->nname) == FALSE){
textdelete(&w->tag, 0, i, TRUE);
textinsert(&w->tag, 0, w->body.file->name, w->body.file->nname, TRUE);
@@ -604,7 +604,7 @@ wincommit(Window *w, Text *t)
textcommit(f->text[i], FALSE); /* no-op for t */
if(t->what == Body)
return;
- r = parsetag(w, &i);
+ r = parsetag(w, 0, &i);
if(runeeq(r, i, w->body.file->name, w->body.file->nname) == FALSE){
seq++;
filemark(w->body.file);