gbranden pushed a commit to branch master
in repository groff.
commit 568beeb2efed5299868585c9bf3c700413cf1a12
Author: G. Branden Robinson <[email protected]>
AuthorDate: Wed Aug 7 01:36:09 2024 -0500
[troff]: Fix Savannah #66052 (1/2).
* src/roff/troff/env.cpp (hyphenate): Fix potential one-byte stack
overwrite if attempting to hyphenate a 256-letter sequence within a
word. Reserve space for null terminator in `hbuf` character array.
Initially, this isn't necessary because the array is simply walked to
normalize hyphenation codes by their equivalence classes. However,
when we subsequently look up the (possibly partial) word in the
exception dictionaries, `hbuf` (or a pointer into it) needs to be
treatable as a C string, thus null-terminated. Respell already
correct expression later in the code to reinforce similarity.
Partially fixes <https://savannah.gnu.org/bugs/?66052>. Thanks to Lukas
Javorsky for identifying the problem using "SAST analyzers (combination
of coverity, snyk, cppcheck, gcc, clang, shellcheck, unicontrol)".
ANNOUNCE: Acknowledge Lukas.
---
ANNOUNCE | 1 +
ChangeLog | 20 ++++++++++++++++++++
src/roff/troff/env.cpp | 4 ++--
3 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/ANNOUNCE b/ANNOUNCE
index fe5d8e794..69117e1e2 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -179,6 +179,7 @@ Heinz-Jürgen Oertel
Ian Ropers
Ingo Schwarze
Lennart Jablonka
+Lukas Javorsky
Michał Kruszewski
Mike Fulton
Morten Bo Johansen
diff --git a/ChangeLog b/ChangeLog
index 349e9b318..bb12c124a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,23 @@
+2024-08-07 G. Branden Robinson <[email protected]>
+
+ [troff]: Fix Savannah #66052 (1/2).
+
+ * src/roff/troff/env.cpp (hyphenate): Fix potential one-byte
+ stack overwrite if attempting to hyphenate a 256-letter sequence
+ within a word. Reserve space for null terminator in `hbuf`
+ character array. Initially, this isn't necessary because the
+ array is simply walked to normalize hyphenation codes by their
+ equivalence classes. However, when we subsequently look up the
+ {possibly partial} word in the exception dictionaries, `hbuf`
+ {or a pointer into it} needs to be treatable as a C string, thus
+ null-terminated. Respell already correct expression later in
+ the code to reinforce similarity.
+
+ Fixes <https://savannah.gnu.org/bugs/?66052> (1/2). Thanks to
+ Lukas Javorsky for identifying the problem using "SAST analyzers
+ {combination of coverity, snyk, cppcheck, gcc, clang,
+ shellcheck, unicontrol}".
+
2024-08-07 G. Branden Robinson <[email protected]>
* src/roff/troff/node.cpp (set_font_specific_special_fonts):
diff --git a/src/roff/troff/env.cpp b/src/roff/troff/env.cpp
index 015d1c172..5e3371cff 100644
--- a/src/roff/troff/env.cpp
+++ b/src/roff/troff/env.cpp
@@ -4233,7 +4233,7 @@ void hyphenate(hyphen_list *h, unsigned flags)
while (h && h->hyphenation_code == 0)
h = h->next;
int len = 0;
- char hbuf[WORD_MAX + 2];
+ char hbuf[WORD_MAX + 2 + 1];
char *buf = hbuf + 1;
hyphen_list *tem;
for (tem = h; tem && len < WORD_MAX; tem = tem->next) {
@@ -4293,7 +4293,7 @@ void hyphenate(hyphen_list *h, unsigned flags)
}
else {
hbuf[0] = hbuf[len + 1] = '.';
- int num[WORD_MAX + 3];
+ int num[WORD_MAX + 2 + 1];
current_language->patterns.hyphenate(hbuf, len + 2, num);
// The position of a hyphenation point gets marked with an odd
// number. Example:
_______________________________________________
Groff-commit mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/groff-commit
