From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 27148 invoked from network); 12 Mar 2022 12:00:13 -0000 Received: from 4ess.inri.net (216.126.196.42) by inbox.vuxu.org with ESMTPUTF8; 12 Mar 2022 12:00:13 -0000 Received: from duke.felloff.net ([216.126.196.34]) by 4ess; Sat Mar 12 06:54:47 -0500 2022 Message-ID: Date: Sat, 12 Mar 2022 12:54:38 +0100 From: cinap_lenrek@felloff.net To: 9front@9front.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: callback blockchain injection component Subject: Re: [9front] werc memory over flow Reply-To: 9front@9front.org Precedence: bulk actually, i think i found it (by staring at the code). the code at the done label was unconditionally inserting NUL terminator, without the final adjbuf() ensuring theres space for it. the patch gets rid of the label, so we wont skip the final adjbuf(). diff d52f25ecdcf1dc8ee8d278c8da44159d82d8dd8f uncommitted --- a/sys/src/cmd/awk/run.c +++ b/sys/src/cmd/awk/run.c @@ -1934,7 +1934,7 @@ } } if (*c == 0) /* at end */ - goto done; + break; adjbuf(&buf, &bufsz, 2+pb-buf, recsize, &pb, "gsub"); *pb++ = *c++; if (pb > buf + bufsz) /* BUG: not sure of this test */ @@ -1962,8 +1962,12 @@ *pb++ = *sptr++; } c = patbeg + patlen; - if ((c[-1] == 0) || (*c == 0)) - goto done; + if (c[-1] == 0){ + c--; + break; + } + if (*c == 0) + break; if (pb > buf + bufsz) FATAL("gsub result1 %.30s too big; can't happen", buf); mflag = 1; @@ -1973,7 +1977,7 @@ adjbuf(&buf, &bufsz, 1+strlen(sptr)+pb-buf, 0, &pb, "gsub"); while ((*pb++ = *sptr++) != 0) ; - done: if (pb > buf + bufsz) + if (pb > buf + bufsz) FATAL("gsub result2 %.30s too big; can't happen", buf); *pb = '\0'; setsval(x, buf); /* BUG: should be able to avoid copy + free */ -- cinap