git: ba86cffb2840 - main - rs: Fix some pointer arith UB.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 05 Oct 2022 23:48:33 UTC
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=ba86cffb2840e12b5d72453d7c574850a76001d8
commit ba86cffb2840e12b5d72453d7c574850a76001d8
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-10-05 23:48:05 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-10-05 23:48:05 +0000
rs: Fix some pointer arith UB.
If the next column was blank, then the length of the following entry
was computed as the end of the following entry minus a global variable
"blank" which is not in the same string or allocation. Instead, save
the start value of 'p' explicitly instead of abusing '*ep'. Possibly
we should just increment p before saving it in sp in the 'blank' case,
but at worst that would just mean maxlen might be one char too large
which should be harmless.
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D36832
---
usr.bin/rs/rs.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/usr.bin/rs/rs.c b/usr.bin/rs/rs.c
index 557c5b9f56c0..046bdc125f00 100644
--- a/usr.bin/rs/rs.c
+++ b/usr.bin/rs/rs.c
@@ -114,10 +114,11 @@ main(int argc, char *argv[])
static void
getfile(void)
{
- char *p;
+ char *p, *sp;
char *endp;
char **ep;
int c;
+ int len;
int multisep = (flags & ONEISEPONLY ? 0 : 1);
int nullpad = flags & NULLPAD;
char **padto;
@@ -159,11 +160,13 @@ getfile(void)
*ep = blank;
else /* store column entry */
*ep = p;
+ sp = p;
while (p < endp && *p != isep)
p++; /* find end of entry */
*p = '\0'; /* mark end of entry */
- if (maxlen < p - *ep) /* update maxlen */
- maxlen = p - *ep;
+ len = p - sp;
+ if (maxlen < len) /* update maxlen */
+ maxlen = len;
INCR(ep); /* prepare for next entry */
}
irows++; /* update row count */