From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Fri, 20 Jun 2014 08:10:29 -0400 To: 9fans@9fans.net Message-ID: <9a790dee571c2ece4b126c12bd940ea1@brasstown.quanstro.net> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] crashing plan9 source boot CD with key combination (buffer overflow) Topicbox-Message-UUID: fc23ab44-ead8-11e9-9d60-3106f5b1d025 On Fri Jun 20 06:24:25 EDT 2014, pad@fb.com wrote: good catch, but... > The code in kbdputsc() in kbd.c does not look very safe: > > kbscan->kc[kbscan->nk++] = c; <--------- no bound checking, can overflow. this behavior depends entirely on what latin1() does. if latin1() will always consume the array before kbscan->nk reaches some bound, then extra checking here wouldn't change anything. and that's the case. (read port/latin1.c for details). the real problem is that kc should be strlen("x10ffff") = 7. (sources is wrong here, too, UTFmax*2+1 = 9, which would allow for x1000ffff, which is not a rune) - erik ps: the bug was introduced here Apr 30 16:05:23 EDT 2013 /n/sourcesdump/2014/0620/plan9/sys/src/9/port/latin1.c 1570 pps: 9atom patch applied /n/atom/patch/applied/collectlen