any takers?
On Tue, Oct 24, 2017 at 07:35:12PM +0200, Theo Buehler wrote:
> The update to 20170704 broke tab completion, at least when running with
> malloc.conf -> J. For example, typing '/msg <user who pm-ed you before>'
> on icb and holding down the tab-key for a while will crash ircII after a
> while.
>
> The reason is that an off-by-one in double_quote() in source/ircaux.c
> will prevent double_quote_work() from null terminating the returned
> string. An example of a crash looks like this:
>
> #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:124
> #1 0x0000101e17d32773 in malloc_strncat (ptr=0x7f7ffffdc030,
> src=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete sequence \333><error: Cannot access memory at address 0x1020f92fa000>, extra=0) at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/ircaux.c:232
> #2 0x0000101e17d32721 in malloc_strcat (ptr=0x7f7ffffdc030,
> src=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete sequence \333><error: Cannot access memory at address 0x1020f92fa000>) at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/ircaux.c:221
> #3 0x0000101e17d08428 in expander_addition (buff=0x7f7ffffdc030,
> add=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete sequence \333><error: Cannot access memory at address 0x1020f92fa000>, length=0, quote_em=0x1020f92f9650 "\\^") at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1360
> #4 0x0000101e17d03c75 in alias_special_char (name=0x1021077f4340 "TK.GETMSG", lbuf=0x7f7ffffdc030, ptr=0x10204fc8b8a6 " ",
> args=0x1020f6738d4b "1 tb2 tb2", quote_em=0x1020f92f9650 "\\^", args_flag=0x7f7ffffdc0a4)
> at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1466
> #5 0x0000101e17d0195f in expand_alias (name=0x1021077f4340 "TK.GETMSG",
> string=0x1020c7fc5f98 "type ^U$tk.junk $^\\^^{[$($tk.msgcnt)]} ", args=0x1020f6738d4b "1 tb2 tb2", args_flag=0x7f7ffffdc0a4,
> more_text=0x7f7ffffdc0c0) at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1625
> (More stack frames follow...)
Index: Makefile
===================================================================
RCS file: /var/cvs/ports/net/ircII/Makefile,v
retrieving revision 1.50
diff -u -p -r1.50 Makefile
--- Makefile 13 Oct 2017 14:56:22 -0000 1.50
+++ Makefile 24 Oct 2017 14:48:38 -0000
@@ -3,6 +3,7 @@
COMMENT= Internet Relay Chat client
VERSION= 20170704
+REVISION= 0
DISTNAME= ircii-${VERSION}
PKGNAME= ircII-${VERSION}
CATEGORIES= net
Index: patches/patch-source_ircaux_c
===================================================================
RCS file: patches/patch-source_ircaux_c
diff -N patches/patch-source_ircaux_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-source_ircaux_c 24 Oct 2017 14:45:30 -0000
@@ -0,0 +1,16 @@
+$OpenBSD$
+
+fix off-by-one responsible for failing to null terminate dst
+
+Index: source/ircaux.c
+--- source/ircaux.c.orig
++++ source/ircaux.c
+@@ -965,7 +965,7 @@ double_quote(u_char *str, u_char *stuff)
+ return empty_string();
+
+ dst = new_malloc(len + 1);
+- len2 = double_quote_work(str, stuff, dst, len);
++ len2 = double_quote_work(str, stuff, dst, len + 1);
+ if (len != len2)
+ yell("--- double_quote() error: len %zu len2 %zu", len, len2);
+
No comments:
Post a Comment