diff options
| author | Russ Cox <rsc@swtch.com> | 2020-01-13 23:17:16 -0500 |
|---|---|---|
| committer | Russ Cox <rsc@swtch.com> | 2020-01-13 23:17:39 -0500 |
| commit | 573169dd88ac5ca0cf75d09464dddba398e83011 (patch) | |
| tree | 945bd608a8e1076d21d81b5a440ac026c041b3ff /src | |
| parent | 125cfe1c0d29541135eac6da676ed9b48930e38b (diff) | |
| download | plan9port-573169dd88ac5ca0cf75d09464dddba398e83011.tar.gz plan9port-573169dd88ac5ca0cf75d09464dddba398e83011.tar.bz2 plan9port-573169dd88ac5ca0cf75d09464dddba398e83011.zip | |
acme: fix buffer overflow introduced in parsetag refactor
Diffstat (limited to 'src')
| -rw-r--r-- | src/cmd/acme/fns.h | 2 | ||||
| -rw-r--r-- | src/cmd/acme/look.c | 2 | ||||
| -rw-r--r-- | src/cmd/acme/wind.c | 12 |
3 files changed, 8 insertions, 8 deletions
diff --git a/src/cmd/acme/fns.h b/src/cmd/acme/fns.h index fece1dbd..c0339c23 100644 --- a/src/cmd/acme/fns.h +++ b/src/cmd/acme/fns.h @@ -95,7 +95,7 @@ void flushwarnings(void); void startplumbing(void); long nlcount(Text*, long, long, long*); long nlcounttopos(Text*, long, long, long); -Rune* parsetag(Window*, int*); +Rune* parsetag(Window*, int, int*); Runestr runestr(Rune*, uint); Range range(int, int); diff --git a/src/cmd/acme/look.c b/src/cmd/acme/look.c index bde8b2c9..35667c6c 100644 --- a/src/cmd/acme/look.c +++ b/src/cmd/acme/look.c @@ -490,7 +490,7 @@ dirname(Text *t, Rune *r, int n) goto Rescue; if(n>=1 && r[0]=='/') goto Rescue; - b = parsetag(t->w, &i); + b = parsetag(t->w, n, &i); slash = -1; for(i--; i >= 0; i--){ if(b[i] == '/'){ diff --git a/src/cmd/acme/wind.c b/src/cmd/acme/wind.c index 2782dbc7..0cba5920 100644 --- a/src/cmd/acme/wind.c +++ b/src/cmd/acme/wind.c @@ -113,7 +113,7 @@ delrunepos(Window *w) Rune *r; int i; - r = parsetag(w, &i); + r = parsetag(w, 0, &i); free(r); i += 2; if(i >= w->tag.file->b.nc) @@ -416,7 +416,7 @@ wincleartag(Window *w) /* w must be committed */ n = w->tag.file->b.nc; - r = parsetag(w, &i); + r = parsetag(w, 0, &i); for(; i<n; i++) if(r[i] == '|') break; @@ -434,7 +434,7 @@ wincleartag(Window *w) } Rune* -parsetag(Window *w, int *len) +parsetag(Window *w, int extra, int *len) { static Rune Ldelsnarf[] = { ' ', 'D', 'e', 'l', ' ', 'S', 'n', 'a', 'r', 'f', 0 }; static Rune Lspacepipe[] = { ' ', '|', 0 }; @@ -442,7 +442,7 @@ parsetag(Window *w, int *len) int i; Rune *r, *p, *pipe; - r = runemalloc(w->tag.file->b.nc+1); + r = runemalloc(w->tag.file->b.nc+extra+1); bufread(&w->tag.file->b, 0, r, w->tag.file->b.nc); r[w->tag.file->b.nc] = '\0'; @@ -483,7 +483,7 @@ winsettag1(Window *w) /* there are races that get us here with stuff in the tag cache, so we take extra care to sync it */ if(w->tag.ncache!=0 || w->tag.file->mod) wincommit(w, &w->tag); /* check file name; also guarantees we can modify tag contents */ - old = parsetag(w, &i); + old = parsetag(w, 0, &i); if(runeeq(old, i, w->body.file->name, w->body.file->nname) == FALSE){ textdelete(&w->tag, 0, i, TRUE); textinsert(&w->tag, 0, w->body.file->name, w->body.file->nname, TRUE); @@ -604,7 +604,7 @@ wincommit(Window *w, Text *t) textcommit(f->text[i], FALSE); /* no-op for t */ if(t->what == Body) return; - r = parsetag(w, &i); + r = parsetag(w, 0, &i); if(runeeq(r, i, w->body.file->name, w->body.file->nname) == FALSE){ seq++; filemark(w->body.file); |