nano

nano with my custom patches
git clone git://bsandro.tech/nano
Log | Files | Refs | README | LICENSE
commit 114cfb63f449a7e6520ad9e5406dbbf606abc301
parent 1f104f80795ac63b47c1a168fb27110d6aa5bd21
Author: David Lawrence Ramsey <pooka109@gmail.com>
Date:   Fri,  3 Feb 2006 03:58:49 +0000

in display_string(), fix memory corruption problems caused by not
allocating enough space for converted when a line ends in a tab(s) and
we're not in UTF-8 mode


git-svn-id: svn://svn.savannah.gnu.org/nano/trunk/nano@3272 35c25a1d-7b9e-4130-9fde-d3aeb78583b8

Diffstat:

MChangeLog | 3+++


Msrc/winio.c | 34++++++++++++++++++++++++++++------


2 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
@@ -37,6 +37,9 @@ CVS code -
 	  Mike Frysinger)
   display_string()
 	- Fix minor memory leak. (DLR)
+	- Fix memory corruption problems caused by not allocating enough
+	  space for converted when a line ends in a tab(s) and we're not
+	  in UTF-8 mode. (DLR, found by Nick Warne and Mike Frysinger)
 - doc/nano.1:
 	- Better display the default values for quotestr. (DLR)
 - doc/nanorc.5:
diff --git a/src/winio.c b/src/winio.c
@@ -1809,10 +1809,22 @@ char *display_string(const char *buf, size_t start_col, size_t len, bool
 
     assert(column <= start_col);
 
-    /* Allocate enough space for the entire line. */
-    alloc_len = (mb_cur_max() * (COLS + 1));
+    /* Make sure there's enough room for the initial character, whether
+     * it's a multibyte control character, a non-control multibyte
+     * character, a tab character, or a null terminator.  Rationale:
+     *
+     * multibyte control character followed by a null terminator:
+     *     1 byte ('^') + mb_cur_max() bytes + 1 byte ('\0')
+     * multibyte non-control character followed by a null terminator:
+     *     mb_cur_max() bytes + 1 byte ('\0')
+     * tab character followed by a null terminator:
+     *     mb_cur_max() bytes + (tabsize - 1) bytes + 1 byte ('\0')
+     *
+     * Since tabsize has a minimum value of 1, it can substitute for 1
+     * byte above. */
+    alloc_len = (mb_cur_max() + tabsize + 1) * MAX_BUF_SIZE;
+    converted = charalloc(alloc_len);
 
-    converted = charalloc(alloc_len + 1);
     index = 0;
 
     if (buf[start_index] != '\t' && (column < start_col || (dollars &&
@@ -1849,9 +1861,17 @@ char *display_string(const char *buf, size_t start_col, size_t len, bool
 #endif
     }
 
-    while (index < alloc_len - 1 && buf[start_index] != '\0') {
+    while (buf[start_index] != '\0') {
 	buf_mb_len = parse_mbchar(buf + start_index, buf_mb, NULL);
 
+	/* Make sure there's enough room for the next character, whether
+	 * it's a multibyte control character, a non-control multibyte
+	 * character, a tab character, or a null terminator. */
+	if (index + mb_cur_max() + tabsize + 1 >= alloc_len - 1) {
+	    alloc_len += (mb_cur_max() + tabsize + 1) * MAX_BUF_SIZE;
+	    converted = charealloc(converted, alloc_len);
+	}
+
 	/* If buf contains a tab character, interpret it. */
 	if (*buf_mb == '\t') {
 #if !defined(NANO_TINY) && defined(ENABLE_NANORC)
@@ -1923,8 +1943,10 @@ char *display_string(const char *buf, size_t start_col, size_t len, bool
 
     free(buf_mb);
 
-    if (index < alloc_len - 1)
-	converted[index] = '\0';
+    assert(alloc_len >= index + 1);
+
+    /* Null terminate converted. */
+    converted[index] = '\0';
 
     /* Make sure converted takes up no more than len columns. */
     index = actual_x(converted, len);