net/ircII: fix off-by-one in double_quote()

Theo Buehler Tue, 24 Oct 2017 11:04:20 -0700

The update to 20170704 broke tab completion, at least when running with
malloc.conf -> J. For example, typing '/msg <user who pm-ed you before>'
on icb and holding down the tab-key for a while will crash ircII after a
while.


The reason is that an off-by-one in double_quote() in source/ircaux.c
will prevent double_quote_work() from null terminating the returned
string.  An example of a crash looks like this:

#0  strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:124
#1  0x0000101e17d32773 in malloc_strncat (ptr=0x7f7ffffdc030,
    src=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete sequence 
\333><error: Cannot access memory at address 0x1020f92fa000>, extra=0) at 
/usr/ports/pobj/ircII-20170704/ircii-20170704/source/ircaux.c:232
#2  0x0000101e17d32721 in malloc_strcat (ptr=0x7f7ffffdc030,
    src=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete sequence 
\333><error: Cannot access memory at address 0x1020f92fa000>) at 
/usr/ports/pobj/ircII-20170704/ircii-20170704/source/ircaux.c:221
#3  0x0000101e17d08428 in expander_addition (buff=0x7f7ffffdc030,
    add=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete sequence 
\333><error: Cannot access memory at address 0x1020f92fa000>, length=0, 
quote_em=0x1020f92f9650 "\\^") at 
/usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1360
#4  0x0000101e17d03c75 in alias_special_char (name=0x1021077f4340 "TK.GETMSG", 
lbuf=0x7f7ffffdc030, ptr=0x10204fc8b8a6 " ",
    args=0x1020f6738d4b "1 tb2 tb2", quote_em=0x1020f92f9650 "\\^", 
args_flag=0x7f7ffffdc0a4)
    at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1466
#5  0x0000101e17d0195f in expand_alias (name=0x1021077f4340 "TK.GETMSG",
    string=0x1020c7fc5f98 "type ^U$tk.junk $^\\^^{[$($tk.msgcnt)]} ", 
args=0x1020f6738d4b "1 tb2 tb2", args_flag=0x7f7ffffdc0a4,
    more_text=0x7f7ffffdc0c0) at 
/usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1625
(More stack frames follow...)


Index: Makefile
===================================================================
RCS file: /var/cvs/ports/net/ircII/Makefile,v
retrieving revision 1.50
diff -u -p -r1.50 Makefile
--- Makefile    13 Oct 2017 14:56:22 -0000      1.50
+++ Makefile    24 Oct 2017 14:48:38 -0000
@@ -3,6 +3,7 @@
 COMMENT=       Internet Relay Chat client
 
 VERSION=       20170704
+REVISION=      0
 DISTNAME=      ircii-${VERSION}
 PKGNAME=       ircII-${VERSION}
 CATEGORIES=    net
Index: patches/patch-source_ircaux_c
===================================================================
RCS file: patches/patch-source_ircaux_c
diff -N patches/patch-source_ircaux_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-source_ircaux_c       24 Oct 2017 14:45:30 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+fix off-by-one responsible for failing to null terminate dst
+
+Index: source/ircaux.c
+--- source/ircaux.c.orig
++++ source/ircaux.c
+@@ -965,7 +965,7 @@ double_quote(u_char *str, u_char *stuff)
+               return empty_string();
+ 
+       dst = new_malloc(len + 1);
+-      len2 = double_quote_work(str, stuff, dst, len);
++      len2 = double_quote_work(str, stuff, dst, len + 1);
+       if (len != len2)
+               yell("--- double_quote() error: len %zu len2 %zu", len, len2);
+

net/ircII: fix off-by-one in double_quote()

Reply via email to