"Todd C. Miller" <[email protected]> writes:
> On Fri, 08 Dec 2017 08:58:17 -0700, "Todd C. Miller" wrote:
>
>> This adds some missing length checks and fixes the crash.
>> It may just be hiding the source of the actual bug, however.
>
> Updated diff that adds another missing length check.
Runs fine too.
>
> - todd
>
> Index: usr.bin/locate/locate/fastfind.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/locate/locate/fastfind.c,v
> retrieving revision 1.13
> diff -u -p -u -r1.13 fastfind.c
> --- usr.bin/locate/locate/fastfind.c 23 Oct 2015 07:57:03 -0000 1.13
> +++ usr.bin/locate/locate/fastfind.c 8 Dec 2017 16:16:37 -0000
> @@ -173,6 +173,8 @@ fastfind_mmap
>
> /* go forward or backward */
> if (c == SWITCH) { /* big step, an integer */
> + if (len < INTSIZE)
> + break;
> count += getwm(paddr) - OFFSET;
> len -= INTSIZE; paddr += INTSIZE;
> } else { /* slow step, =< 14 chars */
> @@ -184,7 +186,7 @@ fastfind_mmap
> p = path + count;
> foundchar = p - 1;
>
> - for (;;) {
> + for (; len > 0; ) {
> c = (u_char)*paddr++;
> len--;
> /*
> @@ -197,7 +199,7 @@ fastfind_mmap
> */
> if (c < PARITY) {
> if (c <= UMLAUT) {
> - if (c == UMLAUT) {
> + if (c == UMLAUT && len > 0) {
> c = (u_char)*paddr++;
> len--;
