Date: Fri, 21 Jan 2000 11:38:26 -0800 (PST) From: Jin Guojun (FTG staff) <jin@gracie.lbl.gov> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/16271: vi has wrong len type in re_tag_conv() Message-ID: <200001211938.LAA70227@gracie.lbl.gov>
next in thread | raw e-mail | index | archive | help
>Number: 16271
>Category: bin
>Synopsis: vi has wrong len type in re_tag_conv()
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 21 12:00:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Jin Guojun (FTG staff)
>Release: FreeBSD 3.4-20000104-STABLE i386
>Organization:
>Environment:
nvi in FreeBSD 3.4-20000104-STABLE
>Description:
an unsinged len is used to compare with signed expression,
this causes core dump because the (len > 0) always true,
so loop never ends.
>How-To-Repeat:
Look at the code contrib/nvi/ex/ex_subst.c:
...
static int
re_tag_conv(sp, ptrnp, plenp, replacedp)
SCR *sp;
char **ptrnp;
size_t *plenp;
int *replacedp;
{
size_t blen, len; !!!!!!!!!!!! line 1180 !!!!!!!!!
int lastdollar;
char *bp, *p, *t;
len = *plenp;
/* Max memory usage is 2 times the length of the string. */
*replacedp = 1;
GET_SPACE_RET(sp, bp, blen, len * 2);
p = *ptrnp;
t = bp;
/* If the last character is a '/' or '?', we just strip it. */
if (len > 0 && (p[len - 1] == '/' || p[len - 1] == '?'))
--len;
/* If the next-to-last or last character is a '$', it's magic. */
if (len > 0 && p[len - 1] == '$') {
--len;
lastdollar = 1;
} else
lastdollar = 0;
/* If the first character is a '/' or '?', we just strip it. */
if (len > 0 && (p[0] == '/' || p[0] == '?')) {
++p;
--len;
}
/* If the first or second character is a '^', it's magic. */
if (p[0] == '^') {
*t++ = *p++;
--len;
}
/*
* Escape every other magic character we can find, meanwhile stripping
* the backslashes ctags inserts when escaping the search delimiter
* characters.
*/
for (; len > 0; --len) { !!!!!! line 1221 !!!!!!!!
if (p[0] == '\\' && (p[1] == '/' || p[1] == '?')) {
++p;
--len;
} else if (strchr("^.[]$*", p[0]))
*t++ = '\\';
*t++ = *p++;
}
if (lastdollar)
>Fix:
Change the len type from size_t to int, i.e.,
move len from line 1180 to line 1181.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001211938.LAA70227>