Date: Fri, 21 Jan 2000 11:38:26 -0800 (PST) From: Jin Guojun (FTG staff) <jin@gracie.lbl.gov> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/16271: vi has wrong len type in re_tag_conv() Message-ID: <200001211938.LAA70227@gracie.lbl.gov>
next in thread | raw e-mail | index | archive | help
>Number: 16271 >Category: bin >Synopsis: vi has wrong len type in re_tag_conv() >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jan 21 12:00:02 PST 2000 >Closed-Date: >Last-Modified: >Originator: Jin Guojun (FTG staff) >Release: FreeBSD 3.4-20000104-STABLE i386 >Organization: >Environment: nvi in FreeBSD 3.4-20000104-STABLE >Description: an unsinged len is used to compare with signed expression, this causes core dump because the (len > 0) always true, so loop never ends. >How-To-Repeat: Look at the code contrib/nvi/ex/ex_subst.c: ... static int re_tag_conv(sp, ptrnp, plenp, replacedp) SCR *sp; char **ptrnp; size_t *plenp; int *replacedp; { size_t blen, len; !!!!!!!!!!!! line 1180 !!!!!!!!! int lastdollar; char *bp, *p, *t; len = *plenp; /* Max memory usage is 2 times the length of the string. */ *replacedp = 1; GET_SPACE_RET(sp, bp, blen, len * 2); p = *ptrnp; t = bp; /* If the last character is a '/' or '?', we just strip it. */ if (len > 0 && (p[len - 1] == '/' || p[len - 1] == '?')) --len; /* If the next-to-last or last character is a '$', it's magic. */ if (len > 0 && p[len - 1] == '$') { --len; lastdollar = 1; } else lastdollar = 0; /* If the first character is a '/' or '?', we just strip it. */ if (len > 0 && (p[0] == '/' || p[0] == '?')) { ++p; --len; } /* If the first or second character is a '^', it's magic. */ if (p[0] == '^') { *t++ = *p++; --len; } /* * Escape every other magic character we can find, meanwhile stripping * the backslashes ctags inserts when escaping the search delimiter * characters. */ for (; len > 0; --len) { !!!!!! line 1221 !!!!!!!! if (p[0] == '\\' && (p[1] == '/' || p[1] == '?')) { ++p; --len; } else if (strchr("^.[]$*", p[0])) *t++ = '\\'; *t++ = *p++; } if (lastdollar) >Fix: Change the len type from size_t to int, i.e., move len from line 1180 to line 1181. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001211938.LAA70227>