ref: 3debe91f3d1dd8a49ec2de5927e46e28ae9e7aad
parent: f5d819e6a63f7317e745bc7bc5340028ff9d9cf0
author: Ori Bernstein <ori@eigenstate.org>
date: Sat Aug 1 06:49:29 EDT 2020
htmlroff: fix out of bounds access (thanks Rei-sen, via plan9port) _readx() uses rune count as its argument and not size, so we should pass nelem() instead of sizeof().
--- a/sys/src/cmd/htmlroff/roff.c
+++ b/sys/src/cmd/htmlroff/roff.c
@@ -257,7 +257,7 @@
int c;
Rune *r;
- if(_readx(buf, sizeof buf, ArgMode, 0) < 0)
+ if(_readx(buf, nelem(buf), ArgMode, 0) < 0)
return nil;
r = runestrstr(buf, L("\\\"")); if(r){@@ -280,7 +280,7 @@
static Rune buf[MaxLine];
Rune *r;
- if(_readx(buf, sizeof buf, m, 1) < 0)
+ if(_readx(buf, nelem(buf), m, 1) < 0)
return nil;
r = erunestrdup(buf);
return r;
--
⑨