[hackers] [sent] Avoid out-of-bounds access when a slide input line begins with \0 || Chris Down

From: <git_AT_suckless.org>
Date: Thu, 14 May 2020 11:44:22 +0200 (CEST)

commit 2649e8d5334f7e37a1710c60fb740ecfe91b9f9e
Author: Chris Down <chris_AT_chrisdown.name>
AuthorDate: Wed May 13 12:20:53 2020 +0100
Commit: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
CommitDate: Thu May 14 11:43:34 2020 +0200

    Avoid out-of-bounds access when a slide input line begins with \0
    
    If we read in a line with \0 at the beginning, blen will be 0. However,
    we then try to index our copy of the buffer with
    s->lines[s->linecount][blen-1], we'll read (and potentially write if the
    data happens to be 0x0A) outside of strdup's allocated memory, and may
    crash.
    
    Fix this by just rejecting lines with a leading \0. Lines with nulls
    embedded in other places don't invoke similar behaviour, since the
    length is still >0.

diff --git a/sent.c b/sent.c
index c50a572..9534fca 100644
--- a/sent.c
+++ b/sent.c
_AT_@ -428,6 +428,10 @@ load(FILE *fp)
                 maxlines = 0;
                 memset((s = &slides[slidecount]), 0, sizeof(Slide));
                 do {
+ /* if there's a leading null, we can't do blen-1 */
+ if (buf[0] == '\0')
+ continue;
+
                         if (buf[0] == '#')
                                 continue;
 
Received on Thu May 14 2020 - 11:44:22 CEST