tonitch/sent
1
0
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases Wiki Activity

Avoid out-of-bounds access when a slide input line begins with \0

Browse Source 
If we read in a line with \0 at the beginning, blen will be 0. However,
we then try to index our copy of the buffer with
s->lines[s->linecount][blen-1], we'll read (and potentially write if the
data happens to be 0x0A) outside of strdup's allocated memory, and may
crash.

Fix this by just rejecting lines with a leading \0. Lines with nulls
embedded in other places don't invoke similar behaviour, since the
length is still >0.
This commit is contained in:
Chris Down 2020-05-13 12:20:53 +01:00 committed by Hiltjo Posthuma
parent 72d33d463f
commit 2649e8d533
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sent.c
View File

@ -428,6 +428,10 @@ load(FILE *fp)
maxlines = 0; maxlines = 0;
memset((s = &slides[slidecount]), 0, sizeof(Slide)); memset((s = &slides[slidecount]), 0, sizeof(Slide));
do { do {
/* if there's a leading null, we can't do blen-1 */
if (buf[0] == '\0')
continue;
if (buf[0] == '#') if (buf[0] == '#')
continue; continue;