On Tue, May 12, 2020 at 06:51:02PM +0100, Chris Down wrote:
> If we read in a line with \0 at the beginning, blen will be 0. However,
> we then try to index our copy of the buffer with
> s->lines[s->linecount][blen-1], we'll read (and potentially write if the
> data happens to be 0x0A) outside of strdup's allocated memory, and may
> crash.
>
> Fix this by just rejecting lines with a leading \0. Lines with nulls
> embedded in other places don't invoke similar behaviour, since the
> length is still >0.
> ---
> sent.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/sent.c b/sent.c
> index c50a572..f9dcd75 100644
> --- a/sent.c
> +++ b/sent.c
> @@ -428,6 +428,10 @@ load(FILE *fp)
> maxlines = 0;
> memset((s = &slides[slidecount]), 0, sizeof(Slide));
> do {
> + /* if there's a leading null, we can't do blen-1 */
> + if (!*buf)
> + continue;
> +
> if (buf[0] == '#')
> continue;
>
> --
> 2.26.2
>
Looks good to me, minor nitpick, maybe the style can be:
if (buf[0] == '\0')
and maybe fgets can simply be rewritten using getline() at:
http://git.suckless.org/sent/file/sent.c.html#l417
--
Kind regards,
Hiltjo
