From mboxrd@z Thu Jan  1 00:00:00 1970
From: Yoann Padioleau <pad@fb.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Date: Fri, 20 Jun 2014 10:22:00 +0000
Message-ID: <C83193F6-E621-42B5-86D2-42607D1FF40B@fb.com>
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A7BA7E0921A514499E3DD68F4C341772@fb.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [9fans] crashing plan9 source boot CD with key combination (buffer
	overflow)
Topicbox-Message-UUID: fb9769cc-ead8-11e9-9d60-3106f5b1d025

Hi,

There is another buffer overflow somewhere I think.

The code in kbdputsc() in kbd.c does not look very safe:

		kbscan->kc[kbscan->nk++] =3D c; <--------- no bound checking, can overflo=
w.
		c =3D latin1(kbscan->kc, kbscan->nk);
		if(c < -1)	/* need more keystrokes */
			return;
		if(c !=3D -1)	/* valid sequence */
			kbdputc(kbdq, c);
		else	/* dump characters */
			for(i=3D0; i<kbscan->nk; i++)
				kbdputc(kbdq, kbscan->kc[i]);
		kbscan->nk =3D 0;
		kbscan->collecting =3D 0;

Actually with the plan9 actual iso, when I boot from the CD
and in rio I open a new terminal and type

<Alt> x ddddddddddddddddddddddddddd <Alt> lc
then I crash the cpu.