Avoid out-of-bounds access when a slide input line begins with \0
If we read in a line with \0 at the beginning, blen will be 0. However, we then try to index our copy of the buffer with s->lines[s->linecount][blen-1], we'll read (and potentially write if the data happens to be 0x0A) outside of strdup's allocated memory, and may crash. Fix this by just rejecting lines with a leading \0. Lines with nulls embedded in other places don't invoke similar behaviour, since the length is still >0.
This commit is contained in:
Chris Down
committed by
Hiltjo Posthuma
Hiltjo Posthuma
parent
72d33d463f
commit
2649e8d533
4
sent.c
4
sent.c
@ -428,6 +428,10 @@ load(FILE *fp)
|
|||||||
maxlines = 0;
|
maxlines = 0;
|
||||||
memset((s = &slides[slidecount]), 0, sizeof(Slide));
|
memset((s = &slides[slidecount]), 0, sizeof(Slide));
|
||||||
do {
|
do {
|
||||||
|
/* if there's a leading null, we can't do blen-1 */
|
||||||
|
if (buf[0] == '\0')
|
||||||
|
continue;
|
||||||
|
|
||||||
if (buf[0] == '#')
|
if (buf[0] == '#')
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user