[groff] 45/48: [troff]: Fix Savannah #66081.

Thu, 15 Aug 2024 10:16:35 -0700 

gbranden pushed a commit to branch master
in repository groff.

commit c77f59e32339183d887300e3198707e4e4ad06dc
Author: G. Branden Robinson <[email protected]>
AuthorDate: Wed Aug 14 15:25:00 2024 -0500

    [troff]: Fix Savannah #66081.
    
    * src/roff/troff/env.cpp (override_sizes): Zero out heap-allocated
      memory prior to use.  If `strtok()` returns a null pointer, we break
      early from the `for` loop before populating it.  The only other case
      where we break out of the loop is when `lower` is 0, and we do only
      after adding this 0 to `sizes`.  Since this memory is then passed to
      `font_size::init_size_table()`, which uses a zero integer to detect
      the end of the list, we could then access uninitialized memory.  [The
      user is not required to supply a zero argument to the `sizes` request.
      I also revised the patch to use memset(3) instead of (an empty) value
      initializer, which is a C++03 feature.  --GBR]
    
    Fixes <https://savannah.gnu.org/bugs/?66081>.
---
 ChangeLog              | 17 +++++++++++++++++
 src/roff/troff/env.cpp |  3 ++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 795145e69..8f4b3a9db 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+2024-08-14  Lukas Javorsky <[email protected]>
+
+       * src/roff/troff/env.cpp (override_sizes): Zero out
+       heap-allocated memory prior to use.  If `strtok()` returns a
+       null pointer, we break early from the `for` loop before
+       populating it.  The only other case where we break out of the
+       loop is when `lower` is 0, and we do only after adding this 0 to
+       `sizes`.  Since this memory is then passed to
+       `font_size::init_size_table()`, which uses a zero integer to
+       detect the end of the list, we could then access uninitialized
+       memory.  [The user is not required to supply a zero argument to
+       the `sizes` request.  I also revised the patch to use memset(3)
+       instead of (an empty) value initializer, which is a C++03
+       feature.  --GBR]
+
+       Fixes <https://savannah.gnu.org/bugs/?66081>.
+
 2024-08-14  G. Branden Robinson <[email protected]>
 
        * src/roff/troff/env.cpp (override_sizes): Refer to size range
diff --git a/src/roff/troff/env.cpp b/src/roff/troff/env.cpp
index 62c251927..b54df35e9 100644
--- a/src/roff/troff/env.cpp
+++ b/src/roff/troff/env.cpp
@@ -1318,7 +1318,8 @@ void point_size()
 void override_sizes()
 {
   int n = 16;
-  int *sizes = new int[n];
+  int *sizes = new int[n]; // C++03: new int[n]();
+  (void) memset(sizes, 0, (n * sizeof(int)));
   int i = 0;
   char *buf = read_string();
   if (!buf)

_______________________________________________
Groff-commit mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/groff-commit

Reply via email to