extern/boxes
1
0
Fork 0
mirror of https://github.com/ascii-boxes/boxes.git synced 2024-12-04 22:11:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

remove: fix out-of-bound access

Browse Source 
The `u32_move` will try to read `input.lines[j].num_chars - c + 1` `u32`
octets from `input.lines[j].mbtext + input.lines[j].posmap[c]`. That
means, it needs access memory at address
`input.lines[j].mbtext + input.lines[j].posmap[c] + input.lines[j].num_chars - c`
while the max range is `input.lines[j].mbtext + input.lines[j].num_chars`,
which is out-of-bound because `input.lines[j].posmap[c] > c` obviously.

Fix #103
This commit is contained in:
Đoàn Trần Công Danh 2022-10-03 21:44:36 +07:00 committed by Thomas Jensen
parent 7de6854fd9
commit 61562b0158
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/remove.c
View File

@ -983,10 +983,10 @@ int remove_box()
fprintf(stderr, "u32_move(\"%s\", \"%s\", %d); // posmap[c]=%d\n",
u32_strconv_to_output(input.lines[j].mbtext),
u32_strconv_to_output(input.lines[j].mbtext + input.lines[j].posmap[c]),
(int) (input.lines[j].num_chars - c + 1), (int) input.lines[j].posmap[c]);
(int) (input.lines[j].num_chars - input.lines[j].posmap[c] + 1), (int) input.lines[j].posmap[c]);
#endif
u32_move(input.lines[j].mbtext, input.lines[j].mbtext + input.lines[j].posmap[c],
input.lines[j].num_chars - c + 1); /* +1 for zero byte */
input.lines[j].num_chars - input.lines[j].posmap[c] + 1); /* +1 for zero byte */
input.lines[j].num_chars -= c;
}
}