From 669713d43f8a014ba481265d4c58c3fe575527b4 Mon Sep 17 00:00:00 2001
From: Ray Lai <ray@raylai.com>
Date: Mon, 23 May 2016 22:30:52 +0800
Subject: 9term: Add missing parentheses, preventing buffer overflow.

(el-sr) is the string length and (sizeof wdir - strlen(name) - 20)
is the buffer size. When the string length is greater than the
buffer size, the beginning of the string is supposed to be trimmed
to fit in the buffer size. Unfortunately a pair of parentheses were
missing, pointing sr outside the buffer, and the for loop below
then reads outside the buffer. For certain binary data printed in
a window, it causes a segfault.

Change-Id: Iffeaa348260ee2a5a36d9577308fb8d1c1688d05
Reviewed-on: https://plan9port-review.googlesource.com/1540
Reviewed-by: Gleydson Soares <gsoares@gmail.com>
---
 src/cmd/9term/win.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cmd/9term/win.c b/src/cmd/9term/win.c
index 032f9ded..017d546b 100644
--- a/src/cmd/9term/win.c
+++ b/src/cmd/9term/win.c
@@ -634,7 +634,7 @@ label(char *sr, int n)
 
 	el = r+1;
 	if(el-sr > sizeof wdir - strlen(name) - 20)
-		sr = el - sizeof wdir - strlen(name) - 20;
+		sr = el - (sizeof wdir - strlen(name) - 20);
 	for(sl=el-3; sl>=sr; sl--)
 		if(sl[0]=='\033' && sl[1]==']' && sl[2]==';')
 			break;
-- 
cgit v1.2.3


From 94b38bdb722052838eb0d940c05995b870db4ea0 Mon Sep 17 00:00:00 2001
From: Ray Lai <ray@raylai.com>
Date: Wed, 18 May 2016 14:06:20 +0800
Subject: libdraw: replace hand-rolled realloc, preventing buffer overflow.

The original buffer is f->nsubf*sizeof *subf bytes (oldsize) large.
Once it's full, a new buffer of (f->nsubf+DSUBF)*sizeof *subf
(newsize) is mallocated.  Unfortunately memmove() reads (newsize)
bytes from the original (oldsize) buffer, causing a buffer overflow.

By switching to realloc(), we don't need to do buffer size calculation,
memmoving, and freeing of the original buffer.

Change-Id: Ibf85bc06abe1c8275b11acb1d7d346a14291d2cd
Reviewed-on: https://plan9port-review.googlesource.com/1520
Reviewed-by: Gleydson Soares <gsoares@gmail.com>
---
 src/libdraw/font.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/libdraw/font.c b/src/libdraw/font.c
index 8370606e..13bcd267 100644
--- a/src/libdraw/font.c
+++ b/src/libdraw/font.c
@@ -222,16 +222,14 @@ loadchar(Font *f, Rune r, Cacheinfo *c, int h, int noflush, char **subfontname)
 			subf->age = 0;
 		}else{				/* too recent; grow instead */
 			of = f->subf;
-			f->subf = malloc((f->nsubf+DSUBF)*sizeof *subf);
+			f->subf = realloc(of, (f->nsubf+DSUBF)*sizeof *subf);
 			if(f->subf == nil){
 				f->subf = of;
 				goto Toss;
 			}
-			memmove(f->subf, of, (f->nsubf+DSUBF)*sizeof *subf);
 			memset(f->subf+f->nsubf, 0, DSUBF*sizeof *subf);
 			subf = &f->subf[f->nsubf];
 			f->nsubf += DSUBF;
-			free(of);
 		}
 	}
 	subf->age = 0;
-- 
cgit v1.2.3