On Fri, Nov 20, 2015 at 9:00 PM, Greg Reagle <greg.rea...@umbc.edu> wrote:
> That's right--buf is accessed without bounds checked. The problem is in
> ttyread() in the while loop, buf gets overflowed, i.e. ptr - buf exceeds
> BUFSIZ (8192). Haven't figured out how to remedy the problem (yet).
>
>
What makes you think this is an overflow? The leading one-bits in clen
to me clearly hint that this happens through forming a negative
buflen, hence my use of the word underflow.
Apart from that, I still get segfaults with even this overly
pessimistic check in the code:
while ((charsize = utf8decode(ptr, &unicodep, buflen)) &&
buflen - charsize > 0 && ptr - buf + charsize < BUFSIZ - 4) {
tputc(unicodep);
ptr += charsize;
buflen -= charsize;
}
The underflow on my gdb test being in the minus hundred thousands even
makes it look as if it was something else like the read() call that
overflowed. Eww.
cheers!
mar77i
