Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Nov 2022 18:37:07 GMT
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 593cb2e370e4 - stable/13 - rs: Fix some pointer arith UB.
Message-ID:  <202211111837.2ABIb7Kv004525@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=593cb2e370e4d59064ea02854a45a0b3e8a5bb9c

commit 593cb2e370e4d59064ea02854a45a0b3e8a5bb9c
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-10-05 23:48:05 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-11-11 18:18:54 +0000

    rs: Fix some pointer arith UB.
    
    If the next column was blank, then the length of the following entry
    was computed as the end of the following entry minus a global variable
    "blank" which is not in the same string or allocation.  Instead, save
    the start value of 'p' explicitly instead of abusing '*ep'.  Possibly
    we should just increment p before saving it in sp in the 'blank' case,
    but at worst that would just mean maxlen might be one char too large
    which should be harmless.
    
    Reviewed by:    brooks
    Differential Revision:  https://reviews.freebsd.org/D36832
    
    (cherry picked from commit ba86cffb2840e12b5d72453d7c574850a76001d8)
---
 usr.bin/rs/rs.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/usr.bin/rs/rs.c b/usr.bin/rs/rs.c
index 557c5b9f56c0..046bdc125f00 100644
--- a/usr.bin/rs/rs.c
+++ b/usr.bin/rs/rs.c
@@ -114,10 +114,11 @@ main(int argc, char *argv[])
 static void
 getfile(void)
 {
-	char *p;
+	char *p, *sp;
 	char *endp;
 	char **ep;
 	int c;
+	int len;
 	int multisep = (flags & ONEISEPONLY ? 0 : 1);
 	int nullpad = flags & NULLPAD;
 	char **padto;
@@ -159,11 +160,13 @@ getfile(void)
 				*ep = blank;
 			else			/* store column entry */
 				*ep = p;
+			sp = p;
 			while (p < endp && *p != isep)
 				p++;		/* find end of entry */
 			*p = '\0';		/* mark end of entry */
-			if (maxlen < p - *ep)	/* update maxlen */
-				maxlen = p - *ep;
+			len = p - sp;
+			if (maxlen < len)	/* update maxlen */
+				maxlen = len;
 			INCR(ep);		/* prepare for next entry */
 		}
 		irows++;			/* update row count */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202211111837.2ABIb7Kv004525>