diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2014-12-11 20:20:47 +0100 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2014-12-11 20:20:47 +0100 |
| commit | 854d028db99d81752082028700bd7ada53306424 (patch) | |
| tree | 45abbdabd5a2dd720388a94daa21a5df56ea0e4b | |
| parent | 86e63c36eded29e46a17628264b73d743df9a864 (diff) | |
| download | plan9front-854d028db99d81752082028700bd7ada53306424.tar.xz | |
acme: fix buffer overrun in xfidutfread() and xfidruneread(), cleanup
the utf8 buffers b1 where allocated from fbufalloc() which gives
us BUFSIZE bytes, but Xfid->count can be bigger than that. so just
emalloc() the requested number of bytes.
when converting from Runes to utf-8, we have to account for the
terminating '\0' byte snprint() places, so fix the maxrune number
calculation instead of using BUFSIZE+1 as buffer size.
| -rw-r--r-- | sys/src/cmd/acme/exec.c | 6 | ||||
| -rw-r--r-- | sys/src/cmd/acme/xfid.c | 55 |
2 files changed, 21 insertions, 40 deletions
diff --git a/sys/src/cmd/acme/exec.c b/sys/src/cmd/acme/exec.c index 46bec984e..8acb63028 100644 --- a/sys/src/cmd/acme/exec.c +++ b/sys/src/cmd/acme/exec.c @@ -602,10 +602,10 @@ putfile(File *f, int q0, int q1, Rune *namer, int nname) for(q=q0; q<q1; q+=n){ n = q1 - q; - if(n > BUFSIZE/UTFmax) - n = BUFSIZE/UTFmax; + if(n > (BUFSIZE-1)/UTFmax) + n = (BUFSIZE-1)/UTFmax; bufread(f, q, r, n); - m = snprint(s, BUFSIZE+1, "%.*S", n, r); + m = snprint(s, BUFSIZE, "%.*S", n, r); if(write(fd, s, m) != m){ warning(nil, "can't write file %s: %r\n", name); goto Rescue2; diff --git a/sys/src/cmd/acme/xfid.c b/sys/src/cmd/acme/xfid.c index bf3223ab1..32273d6f8 100644 --- a/sys/src/cmd/acme/xfid.c +++ b/sys/src/cmd/acme/xfid.c @@ -147,10 +147,10 @@ xfidopen(Xfid *x) s = fbufalloc(); while(q0 < q1){ n = q1 - q0; - if(n > BUFSIZE/UTFmax) - n = BUFSIZE/UTFmax; + if(n > (BUFSIZE-1)/UTFmax) + n = (BUFSIZE-1)/UTFmax; bufread(t->file, q0, r, n); - m = snprint(s, BUFSIZE+1, "%.*S", n, r); + m = snprint(s, BUFSIZE, "%.*S", n, r); if(write(w->rdselfd, s, m) != m){ warning(nil, "can't write temp file for pipe command %r\n"); break; @@ -582,20 +582,14 @@ xfidctlwrite(Xfid *x, Window *w) int i, m, n, nb, nr, nulls; Rune *r; char *err, *p, *pp, *q, *e; - int isfbuf, scrdraw, settag; + int scrdraw, settag; Text *t; err = nil; e = x->data+x->count; scrdraw = FALSE; settag = FALSE; - isfbuf = TRUE; - if(x->count < RBUFSIZE) - r = fbufalloc(); - else{ - isfbuf = FALSE; - r = emalloc(x->count*UTFmax+1); - } + r = emalloc(x->count*UTFmax+1); x->data[x->count] = 0; textcommit(&w->tag, TRUE); for(n=0; n<x->count; n+=m){ @@ -773,10 +767,7 @@ out: m++; } - if(isfbuf) - fbuffree(r); - else - free(r); + free(r); if(err) n = 0; fc.count = n; @@ -794,19 +785,12 @@ xfideventwrite(Xfid *x, Window *w) int m, n; Rune *r; char *err, *p, *q; - int isfbuf; Text *t; int c; uint q0, q1; err = nil; - isfbuf = TRUE; - if(x->count < RBUFSIZE) - r = fbufalloc(); - else{ - isfbuf = FALSE; - r = emalloc(x->count*UTFmax+1); - } + r = emalloc(x->count*UTFmax+1); for(n=0; n<x->count; n+=m){ p = x->data+n; w->owner = *p++; /* disgusting */ @@ -856,10 +840,7 @@ xfideventwrite(Xfid *x, Window *w) } Out: - if(isfbuf) - fbuffree(r); - else - free(r); + free(r); if(err) n = 0; fc.count = n; @@ -886,7 +867,7 @@ xfidutfread(Xfid *x, Text *t, uint q1, int qid) off = x->offset; r = fbufalloc(); b = fbufalloc(); - b1 = fbufalloc(); + b1 = emalloc(x->count); n = 0; if(qid==w->utflastqid && off>=w->utflastboff && w->utflastq<=q1){ boff = w->utflastboff; @@ -906,10 +887,10 @@ xfidutfread(Xfid *x, Text *t, uint q1, int qid) w->utflastboff = boff; w->utflastq = q; nr = q1-q; - if(nr > BUFSIZE/UTFmax) - nr = BUFSIZE/UTFmax; + if(nr > (BUFSIZE-1)/UTFmax) + nr = (BUFSIZE-1)/UTFmax; bufread(t->file, q, r, nr); - nb = snprint(b, BUFSIZE+1, "%.*S", nr, r); + nb = snprint(b, BUFSIZE, "%.*S", nr, r); if(boff >= off){ m = nb; if(boff+m > off+x->count) @@ -933,7 +914,7 @@ xfidutfread(Xfid *x, Text *t, uint q1, int qid) fc.count = n; fc.data = b1; respond(x, &fc, nil); - fbuffree(b1); + free(b1); } int @@ -950,16 +931,16 @@ xfidruneread(Xfid *x, Text *t, uint q0, uint q1) wincommit(w, t); r = fbufalloc(); b = fbufalloc(); - b1 = fbufalloc(); + b1 = emalloc(x->count); n = 0; q = q0; boff = 0; while(q<q1 && n<x->count){ nr = q1-q; - if(nr > BUFSIZE/UTFmax) - nr = BUFSIZE/UTFmax; + if(nr > (BUFSIZE-1)/UTFmax) + nr = (BUFSIZE-1)/UTFmax; bufread(t->file, q, r, nr); - nb = snprint(b, BUFSIZE+1, "%.*S", nr, r); + nb = snprint(b, BUFSIZE, "%.*S", nr, r); m = nb; if(boff+m > x->count){ i = x->count - boff; @@ -986,7 +967,7 @@ xfidruneread(Xfid *x, Text *t, uint q0, uint q1) fc.count = n; fc.data = b1; respond(x, &fc, nil); - fbuffree(b1); + free(b1); return q-q0; } |