From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from wopr.sciops.net ([216.126.196.60]) by ewsd; Sun Aug 25 19:05:39 EDT 2019
Received: (qmail 52359 invoked from network); 25 Aug 2019 16:05:26 -0700
Received: from 100.43.142.88.rev.sfr.net (HELO u23.nope) (qwx@88.142.43.100)
  by wopr.sciops.net with SMTP; 25 Aug 2019 16:05:26 -0700
Message-ID: <C93B0E3C42C2FE0EA9B1860C885109C8@wopr.sciops.net>
From: qwx <qwx@sciops.net>
Date: Mon, 26 Aug 2019 01:05:26 +0200
To: 9front@9front.org
Subject: vncv: realloc memory corruption
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: CSS-aware SSL over SSL out-scaling factory injection optimizer 

Hello,

In /sys/src/cmd/vnc/wsys.c:/^getsnarf, /dev/snarf's contents
are being read into a buffer, which is grown in 8192 byte increments
using realloc.

The code assumes that realloc will always return the same pointer,
and the p variable is never updated.  On subsequent reads, memory
may be corrupted.

I've hit this multiple times when snarfing a large amount of text
while a vncv is running.

Example:

% vncv host
# in another window:
% cat /lib/dicewords >/dev/snarf

The following patch fixes this.

Any objections to merging this?

Thanks,

qwx

diff -r bb28fe19fe44 sys/src/cmd/vnc/wsys.c
--- a/sys/src/cmd/vnc/wsys.c	Mon Aug 19 16:42:20 2019 +0200
+++ b/sys/src/cmd/vnc/wsys.c	Mon Aug 26 00:49:19 2019 +0200
@@ -281,6 +281,7 @@
 			*sz += c;
 			if (n == 0){
 				snarf = realloc(snarf, *sz + 8192);
+				p = snarf + *sz;
 				n = 8192;
 			}
 		}