I think I found a bug in rxvt-unicode-9.09 where an array is defined
as too small.
The header rxvt.h has these definitions:
enum {
# define def(name,idx) Opt_ ## name = idx,
# define nodef(name) Opt_ ## name = 0,
# include "optinc.h"
# undef nodef
# undef def
Opt_count
};
struct rxvt_vars : TermWin_t
{
scrollBar_t scrollBar;
uint8_t options[(Opt_count + 7) >> 3];
...
}
Here, depending on the configuration options, the last enum value
defined before Opt_count can be extended from nodef(buffered). If it
is, the value of Opt_count becomes 1, so the options array gets too
small and code accesses it out of bounds.
Do you suppose this is an actual bug?
Ambrus
_______________________________________________
rxvt-unicode mailing list
[email protected]
http://lists.schmorp.de/cgi-bin/mailman/listinfo/rxvt-unicode
