On Mon, Sep 05, 2016 at 05:45:09PM +0200, Johannes Schindelin wrote:

> Before calling regexec() on the file contents, we better be certain that
> the strings fulfill the contract of C strings assumed by said function.

If you have a buffer that is exactly "size" bytes and you are worried
about regexec reading off the end, then...

> diff --git a/diffcore-pickaxe.c b/diffcore-pickaxe.c
> index 55067ca..88820b6 100644
> --- a/diffcore-pickaxe.c
> +++ b/diffcore-pickaxe.c
> @@ -49,6 +49,8 @@ static int diff_grep(mmfile_t *one, mmfile_t *two,
>       xpparam_t xpp;
>       xdemitconf_t xecfg;
>  
> +     assert(!one || one->ptr[one->size] == '\0');
> +     assert(!two || two->ptr[two->size] == '\0');
>       if (!one)
>               return !regexec(regexp, two->ptr, 1, &regmatch, 0);

...don't your asserts also read off the end?

So you might still segfault, though you do catch a case where we have N
bytes of junk before the end of the page (and you have a 255/256 chance
of catching it).

-Peff

Reply via email to