On Wed, Nov 01 2017, Theo Buehler <tb@theobuehler.org> wrote:
> any takers?
Looks good to me.
> On Tue, Oct 24, 2017 at 07:35:12PM +0200, Theo Buehler wrote:
>> The update to 20170704 broke tab completion, at least when running with
>> malloc.conf -> J. For example, typing '/msg <user who pm-ed you before>'
>> on icb and holding down the tab-key for a while will crash ircII after a
>> while.
>>
>> The reason is that an off-by-one in double_quote() in source/ircaux.c
>> will prevent double_quote_work() from null terminating the returned
>> string. An example of a crash looks like this:
>>
>> #0 strlen () at /usr/src/lib/libc/arch/amd64/string/strlen.S:124
>> #1 0x0000101e17d32773 in malloc_strncat (ptr=0x7f7ffffdc030,
>> src=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete
>> sequence \333><error: Cannot access memory at address 0x1020f92fa000>,
>> extra=0) at
>> /usr/ports/pobj/ircII-20170704/ircii-20170704/source/ircaux.c:232
>> #2 0x0000101e17d32721 in malloc_strcat (ptr=0x7f7ffffdc030,
>> src=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete sequence \333><error: Cannot access memory at address 0x1020f92fa000>) at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/ircaux.c:221
>> #3 0x0000101e17d08428 in expander_addition (buff=0x7f7ffffdc030,
>> add=0x1020f92f9ff0 "tb2", '\333' <repeats 12 times>, <incomplete
>> sequence \333><error: Cannot access memory at address 0x1020f92fa000>,
>> length=0, quote_em=0x1020f92f9650 "\\^") at
>> /usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1360
>> #4 0x0000101e17d03c75 in alias_special_char (name=0x1021077f4340 "TK.GETMSG", lbuf=0x7f7ffffdc030, ptr=0x10204fc8b8a6 " ",
>> args=0x1020f6738d4b "1 tb2 tb2", quote_em=0x1020f92f9650 "\\^", args_flag=0x7f7ffffdc0a4)
>> at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1466
>> #5 0x0000101e17d0195f in expand_alias (name=0x1021077f4340 "TK.GETMSG",
>> string=0x1020c7fc5f98 "type ^U$tk.junk $^\\^^{[$($tk.msgcnt)]} ", args=0x1020f6738d4b "1 tb2 tb2", args_flag=0x7f7ffffdc0a4,
>> more_text=0x7f7ffffdc0c0) at /usr/ports/pobj/ircII-20170704/ircii-20170704/source/alias.c:1625
>> (More stack frames follow...)
>
>
> Index: Makefile
> ===================================================================
> RCS file: /var/cvs/ports/net/ircII/Makefile,v
> retrieving revision 1.50
> diff -u -p -r1.50 Makefile
> --- Makefile 13 Oct 2017 14:56:22 -0000 1.50
> +++ Makefile 24 Oct 2017 14:48:38 -0000
> @@ -3,6 +3,7 @@
> COMMENT= Internet Relay Chat client
>
> VERSION= 20170704
> +REVISION= 0
> DISTNAME= ircii-${VERSION}
> PKGNAME= ircII-${VERSION}
> CATEGORIES= net
> Index: patches/patch-source_ircaux_c
> ===================================================================
> RCS file: patches/patch-source_ircaux_c
> diff -N patches/patch-source_ircaux_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-source_ircaux_c 24 Oct 2017 14:45:30 -0000
> @@ -0,0 +1,16 @@
> +$OpenBSD$
> +
> +fix off-by-one responsible for failing to null terminate dst
> +
> +Index: source/ircaux.c
> +--- source/ircaux.c.orig
> ++++ source/ircaux.c
> +@@ -965,7 +965,7 @@ double_quote(u_char *str, u_char *stuff)
> + return empty_string();
> +
> + dst = new_malloc(len + 1);
> +- len2 = double_quote_work(str, stuff, dst, len);
> ++ len2 = double_quote_work(str, stuff, dst, len + 1);
> + if (len != len2)
> + yell("--- double_quote() error: len %zu len2 %zu", len, len2);
> +
>
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
No comments:
Post a Comment