From 6dbecfb457d1625687f2338696c2b8195c831ae4 Mon Sep 17 00:00:00 2001
From: Ori Bernstein <ori@eigenstate.org>
Date: Sat, 1 Aug 2020 10:49:29 -0700
Subject: htmlroff: fix out of bounds access (thanks Rei-sen, via plan9port)

_readx() uses rune count as its argument and not size, so we should
pass nelem() instead of sizeof().
---
 sys/src/cmd/htmlroff/roff.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/src/cmd/htmlroff/roff.c b/sys/src/cmd/htmlroff/roff.c
index 6a7cd09e4..831cf83fe 100644
--- a/sys/src/cmd/htmlroff/roff.c
+++ b/sys/src/cmd/htmlroff/roff.c
@@ -257,7 +257,7 @@ copyarg(void)
 	int c;
 	Rune *r;
 	
-	if(_readx(buf, sizeof buf, ArgMode, 0) < 0)
+	if(_readx(buf, nelem(buf), ArgMode, 0) < 0)
 		return nil;
 	r = runestrstr(buf, L("\\\""));
 	if(r){
@@ -280,7 +280,7 @@ readline(int m)
 	static Rune buf[MaxLine];
 	Rune *r;
 
-	if(_readx(buf, sizeof buf, m, 1) < 0)
+	if(_readx(buf, nelem(buf), m, 1) < 0)
 		return nil;
 	r = erunestrdup(buf);
 	return r;
-- 
cgit v1.2.3