diff options
author | Chris Down <chris@chrisdown.name> | 2020-05-13 12:20:53 +0100 |
---|---|---|
committer | Hiltjo Posthuma <hiltjo@codemadness.org> | 2020-05-14 11:43:34 +0200 |
commit | 2649e8d5334f7e37a1710c60fb740ecfe91b9f9e (patch) | |
tree | 36d235c6bec798d085e776869470d87b6f8330bc | |
parent | 72d33d463fed7ba271961a6f91cae1fed8faa454 (diff) | |
download | sent-2649e8d5334f7e37a1710c60fb740ecfe91b9f9e.tar.gz sent-2649e8d5334f7e37a1710c60fb740ecfe91b9f9e.tar.bz2 sent-2649e8d5334f7e37a1710c60fb740ecfe91b9f9e.zip |
Avoid out-of-bounds access when a slide input line begins with \0
If we read in a line with \0 at the beginning, blen will be 0. However,
we then try to index our copy of the buffer with
s->lines[s->linecount][blen-1], we'll read (and potentially write if the
data happens to be 0x0A) outside of strdup's allocated memory, and may
crash.
Fix this by just rejecting lines with a leading \0. Lines with nulls
embedded in other places don't invoke similar behaviour, since the
length is still >0.
-rw-r--r-- | sent.c | 4 |
1 files changed, 4 insertions, 0 deletions
@@ -428,6 +428,10 @@ load(FILE *fp) maxlines = 0; memset((s = &slides[slidecount]), 0, sizeof(Slide)); do { + /* if there's a leading null, we can't do blen-1 */ + if (buf[0] == '\0') + continue; + if (buf[0] == '#') continue; |