[cdesktopenv-devel] Fix memory fault in instant(1) with OpenBSD's malloc(3) 'S'

Thu, 22 Nov 2012 09:42:57 -0800 

option
--------

See patch.

>From d3086c6ddf0b925a2f95f2cebd82b82f400179c5 Mon Sep 17 00:00:00 2001
From: Pascal Stumpf <pascal.stu...@cubes.de>
Date: Thu, 22 Nov 2012 14:27:26 +0100
Subject: [PATCH] Keep track of the length of the string in ExpandVariables().

On OpenBSD, the 'S' option to malloc(3) enables guard pages (among other
things).  This loop could have triggered this trap when reading beyond the
buffer.  Also, the whole "while(*ip)" construct was based on the assumption that
the memory after the string is always zero-filled.
---
 cde/programs/dtdocbook/instant/translate.c |    8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diff --git a/cde/programs/dtdocbook/instant/translate.c 
b/cde/programs/dtdocbook/instant/translate.c
index cb01270..9598335 100644
--- a/cde/programs/dtdocbook/instant/translate.c
+++ b/cde/programs/dtdocbook/instant/translate.c
@@ -197,14 +197,17 @@ ExpandVariables(
     char       *def_val, *s, *atval, *modifier;
     char       vbuf[500];
     int                lev;
+    size_t     len = 0, totlen;
 
     ip = in;
     op = out;
-    while (*ip) {
+    totlen = strlen(ip);
+    while (totlen >= len && *ip) {
        /* start of regular variable? */
        if (*ip == VDELIM && *(ip+1) == L_CURLY && *(ip+2) != '_') {
            ip++;
            ip++;               /* point at variable name */
+           len + 2;
            vp = vbuf;
            /*  Look for matching (closing) curly. (watch for nesting)
             *  We store the variable content in a tmp buffer, so we don't
@@ -216,11 +219,13 @@ ExpandVariables(
                if (*ip == R_CURLY) {
                    if (lev == 0) {
                        ip++;
+                       len++;
                        break;
                    }
                    else lev--;
                }
                *vp++ = *ip++;  /* copy to variable buffer */
+               len++;
            }
            *vp = EOS;
            /* vbuf now contains the variable name (stuff between curlys). */
@@ -270,6 +275,7 @@ ExpandVariables(
            }
        }
        *op++ = *ip++;
+       len++;
     }
     *op = EOS;         /* terminate string */
 }
-- 
1.7.6


------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
cdesktopenv-devel mailing list
cdesktopenv-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cdesktopenv-devel

Reply via email to