The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=ba86cffb2840e12b5d72453d7c574850a76001d8
commit ba86cffb2840e12b5d72453d7c574850a76001d8 Author: John Baldwin <[email protected]> AuthorDate: 2022-10-05 23:48:05 +0000 Commit: John Baldwin <[email protected]> CommitDate: 2022-10-05 23:48:05 +0000 rs: Fix some pointer arith UB. If the next column was blank, then the length of the following entry was computed as the end of the following entry minus a global variable "blank" which is not in the same string or allocation. Instead, save the start value of 'p' explicitly instead of abusing '*ep'. Possibly we should just increment p before saving it in sp in the 'blank' case, but at worst that would just mean maxlen might be one char too large which should be harmless. Reviewed by: brooks Differential Revision: https://reviews.freebsd.org/D36832 --- usr.bin/rs/rs.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr.bin/rs/rs.c b/usr.bin/rs/rs.c index 557c5b9f56c0..046bdc125f00 100644 --- a/usr.bin/rs/rs.c +++ b/usr.bin/rs/rs.c @@ -114,10 +114,11 @@ main(int argc, char *argv[]) static void getfile(void) { - char *p; + char *p, *sp; char *endp; char **ep; int c; + int len; int multisep = (flags & ONEISEPONLY ? 0 : 1); int nullpad = flags & NULLPAD; char **padto; @@ -159,11 +160,13 @@ getfile(void) *ep = blank; else /* store column entry */ *ep = p; + sp = p; while (p < endp && *p != isep) p++; /* find end of entry */ *p = '\0'; /* mark end of entry */ - if (maxlen < p - *ep) /* update maxlen */ - maxlen = p - *ep; + len = p - sp; + if (maxlen < len) /* update maxlen */ + maxlen = len; INCR(ep); /* prepare for next entry */ } irows++; /* update row count */
