 |
Avoid out-of-bounds access when a slide input line begins with \0 - sent - simp… |
 |
git clone git://git.suckless.org/sent |
 |
Log |
|
Files |
|
Refs |
|
README |
|
LICENSE |
|
--- |
|
commit 2649e8d5334f7e37a1710c60fb740ecfe91b9f9e |
|
parent 72d33d463fed7ba271961a6f91cae1fed8faa454 |
|
Author: Chris Down <[email protected]> |
|
Date: Wed, 13 May 2020 12:20:53 +0100 |
|
|
|
Avoid out-of-bounds access when a slide input line begins with \0 |
|
|
|
If we read in a line with \0 at the beginning, blen will be 0. However, |
|
we then try to index our copy of the buffer with |
|
s->lines[s->linecount][blen-1], we'll read (and potentially write if the |
|
data happens to be 0x0A) outside of strdup's allocated memory, and may |
|
crash. |
|
|
|
Fix this by just rejecting lines with a leading \0. Lines with nulls |
|
embedded in other places don't invoke similar behaviour, since the |
|
length is still >0. |
|
|
|
Diffstat: |
|
M sent.c | 4 ++++ |
|
|
|
1 file changed, 4 insertions(+), 0 deletions(-) |
|
--- |
|
diff --git a/sent.c b/sent.c |
|
@@ -428,6 +428,10 @@ load(FILE *fp) |
|
maxlines = 0; |
|
memset((s = &slides[slidecount]), 0, sizeof(Slide)); |
|
do { |
|
+ /* if there's a leading null, we can't do blen-1 */ |
|
+ if (buf[0] == '\0') |
|
+ continue; |
|
+ |
|
if (buf[0] == '#') |
|
continue; |
|
