[bug #52433] Commit [09040dbf] is wrong: bad bounds check in pre-html.cpp

Mon, 05 Nov 2018 00:35:59 -0800 

Update of bug #52433 (project groff):

                Category:                    None => Preprocessor html      
              Item Group:                    None => Incorrect behaviour    
                  Status:                    None => Need Info              
                 Summary: Commit [09040dbf] is wrong => Commit [09040dbf] is
wrong: bad bounds check in pre-html.cpp

    _______________________________________________________

Follow-up Comment #1:

Any one got ideas about this?  I'm afraid I don't understand the code well
enough to craft an exploit for it, but our anonymous submitter has a
suggestion.

Here's the commit to which he refers.


commit 09040dbf908c2563e0d918a1dca7bb564226a0f8
Author: Bálint Réczey <[email protected]>
Date:   Tue Feb 16 00:16:28 2016 +0100

    [pre-grohtml] Fix out-of-bounds array access (#47161).
    
    * src/preproc/html/pre-html.cpp (char_buffer::write_upto_newline):
    Implement it.

diff --git a/ChangeLog b/ChangeLog
index b3cdf1d7..b264974d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-02-15  Bálint Réczey  <[email protected]>
+
+       [pre-grohtml] Fix out-of-bounds array access (#47161).
+
+       * src/preproc/html/pre-html.cpp (char_buffer::write_upto_newline):
+       Implement it.
+
 2016-02-15  Bálint Réczey  <[email protected]>
 
        Don't use `memcpy' with NULL input or output argument (#47160).
diff --git a/src/preproc/html/pre-html.cpp b/src/preproc/html/pre-html.cpp
index 978721a1..8698149a 100644
--- a/src/preproc/html/pre-html.cpp
+++ b/src/preproc/html/pre-html.cpp
@@ -661,7 +661,7 @@ void char_buffer::write_upto_newline(char_block **t, int
*i, int is_html)
        && (*t)->buffer[j] == '\n')
       j++;
     writeNbytes((*t)->buffer + (*i), j - (*i));
-    if ((*t)->buffer[j] == INLINE_LEADER_CHAR) {
+    if (j < char_block::SIZE && (*t)->buffer[j] == INLINE_LEADER_CHAR) {
       if (can_see(t, &j, HTML_IMAGE_INLINE_BEGIN))
        write_start_image(INLINE, is_html);
       else if (can_see(t, &j, HTML_IMAGE_INLINE_END))


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?52433>

_______________________________________________
  Message sent via Savannah
  https://savannah.gnu.org/


_______________________________________________
bug-groff mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/bug-groff

Reply via email to