From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=RCVD_ILLEGAL_IP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 22406 invoked from network); 13 Mar 2022 04:08:30 -0000 Received: from 4ess.inri.net (216.126.196.42) by inbox.vuxu.org with ESMTPUTF8; 13 Mar 2022 04:08:30 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Received: from sdaoden.eu ([217.144.132.164]) by 4ess; Sat Mar 12 09:38:09 -0500 2022 Received: from kent.sdaoden.eu (kent.sdaoden.eu [192.0.2.2]) by sdaoden.eu (Postfix) with ESMTPS id 242221605A; Sat, 12 Mar 2022 15:38:05 +0100 (CET) Received: by kent.sdaoden.eu (Postfix, from userid 1000) id 5B6336616A; Sat, 12 Mar 2022 15:38:03 +0100 (CET) Date: Sat, 12 Mar 2022 15:38:03 +0100 Author: Steffen Nurpmeso From: Steffen Nurpmeso To: 9front@9front.org Message-ID: <20220312143803.nKiSo%steffen@sdaoden.eu> In-Reply-To: References: Mail-Followup-To: 9front@9front.org User-Agent: s-nail v14.9.23-243-g00c89d995b OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs. List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: proven non-blocking ACPI STM cache Subject: Re: [9front] werc memory over flow Reply-To: 9front@9front.org Precedence: bulk Steve Simon wrote in : |forward the fix to mr kernighan - perhaps you will get a prize? ;-) Mr. BW. K's awk is now maintained by someone else at https://github.com/onetrueawk/awk.git (after Arnold Robbins had a long stint). Cool that 9front git shows the updates again btw!!! Though my last one is facb0e757ac63f763bd942a2714f979538b99eb0 now, from 2021-12-22? |-Steve | |> On 12 Mar 2022, at 11:58 am, cinap_lenrek@felloff.net wrote: |> |> actually, i think i found it (by staring at the code). |> |> the code at the done label was unconditionally inserting |> NUL terminator, without the final adjbuf() ensuring |> theres space for it. |> |> the patch gets rid of the label, so we wont skip the |> final adjbuf(). |> |> diff d52f25ecdcf1dc8ee8d278c8da44159d82d8dd8f uncommitted |> --- a/sys/src/cmd/awk/run.c |> +++ b/sys/src/cmd/awk/run.c |> @@ -1934,7 +1934,7 @@ |>} |>} |> if (*c == 0) /* at end */ |> - goto done; |> + break; At least that is still there. |> adjbuf(&buf, &bufsz, 2+pb-buf, recsize, &pb, "gsub"); |> *pb++ = *c++; |> if (pb > buf + bufsz) /* BUG: not sure of this test */ |> @@ -1962,8 +1962,12 @@ |> *pb++ = *sptr++; |>} |> c = patbeg + patlen; |> - if ((c[-1] == 0) || (*c == 0)) |> - goto done; |> + if (c[-1] == 0){ |> + c--; |> + break; |> + } |> + if (*c == 0) |> + break; That is different now: |> if (pb > buf + bufsz) |> FATAL("gsub result1 %.30s too big; can't happen", \ |> buf); |> mflag = 1; } else *pb++ = *sptr++; } t = patbeg + patlen; if (patlen == 0 || *t == '\0' || *(t-1) == '\0') goto done; if (pb > buf + bufsz) FATAL("gsub result1 %.30s too big; can't happen", buf); mflag = 1; Here too: |> @@ -1973,7 +1977,7 @@ |> adjbuf(&buf, &bufsz, 1+strlen(sptr)+pb-buf, 0, &pb, "gsub"); |> while ((*pb++ = *sptr++) != 0) |4> ; |> - done: if (pb > buf + bufsz) |> + if (pb > buf + bufsz) |> FATAL("gsub result2 %.30s too big; can't happen", buf); done: if (pb < buf + bufsz) *pb = '\0'; else if (*(pb-1) != '\0') FATAL("gsub result2 %.30s truncated; can't happen", buf); |> *pb = '\0'; |> setsval(x, buf); /* BUG: should be able to avoid copy + free */ |> |> -- |> cinap --End of --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)