User: aidan
Date: 06/05/21 20:35:35
Modified: xemacs/src ChangeLog doc.c
Log:
Incorporate Fabrice's fix of my buffer overrun bug.
Revision Changes Path
1.962 +10 -0 XEmacs/xemacs/src/ChangeLog
Index: ChangeLog
===================================================================
RCS file: /pack/xemacscvs/XEmacs/xemacs/src/ChangeLog,v
retrieving revision 1.961
retrieving revision 1.962
diff -u -p -r1.961 -r1.962
--- ChangeLog 2006/05/16 08:24:49 1.961
+++ ChangeLog 2006/05/21 18:35:30 1.962
@@ -1,3 +1,13 @@
+2006-05-21 Aidan Kehoe <kehoea(a)parhasard.net>
+
+ * doc.c (extract_object_file_name):
+ * doc.c (unparesseuxify_doc_string):
+ Leave sufficient space for the '\0' sentinel when reading into the
+ buffer. The bug in unparesseuxify_doc_string had been there for
+ ten years at least, but it was Fabrice Popineau's investigation of
+ the code on the same model in extract_object_file_name that
+ provoked its discovery. Thank you Fabrice!
+
2006-05-16 Stephen J. Turnbull <stephen(a)xemacs.org>
* XEmacs 21.5.27 "fiddleheads" is released.
1.38 +8 -6 XEmacs/xemacs/src/doc.c
Index: doc.c
===================================================================
RCS file: /pack/xemacscvs/XEmacs/xemacs/src/doc.c,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -p -r1.37 -r1.38
--- doc.c 2006/05/07 14:20:36 1.37
+++ doc.c 2006/05/21 18:35:31 1.38
@@ -49,7 +49,7 @@ extract_object_file_name (int fd, EMACS_
{
Ibyte buf[DOC_MAX_FILENAME_LENGTH+1];
Ibyte *buffer = buf;
- int buffer_size = sizeof (buf), space_left;
+ int buffer_size = sizeof (buf) - 1, space_left;
Ibyte *from, *to;
REGISTER Ibyte *p = buffer;
Lisp_Object return_me;
@@ -59,8 +59,8 @@ extract_object_file_name (int fd, EMACS_
GCPRO2 (fdstream, instream);
- position = doc_pos > DOC_MAX_FILENAME_LENGTH ?
- doc_pos - DOC_MAX_FILENAME_LENGTH : 0;
+ position = doc_pos > buffer_size ?
+ doc_pos - buffer_size : 0;
if (0 > lseek (fd, position, 0))
{
@@ -168,7 +168,7 @@ unparesseuxify_doc_string (int fd, EMACS
{
Ibyte buf[512 * 32 + 1];
Ibyte *buffer = buf;
- int buffer_size = sizeof (buf);
+ int buffer_size = sizeof (buf) - 1;
Ibyte *from, *to;
REGISTER Ibyte *p = buffer;
Lisp_Object return_me;
@@ -215,13 +215,15 @@ unparesseuxify_doc_string (int fd, EMACS
if (space_left == 0)
{
Ibyte *old_buffer = buffer;
+ buffer_size *= 2;
+
if (buffer == buf)
{
- buffer = xnew_ibytes (buffer_size *= 2);
+ buffer = xnew_ibytes (buffer_size + 1);
memcpy (buffer, old_buffer, p - old_buffer);
}
else
- XREALLOC_ARRAY (buffer, Ibyte, buffer_size *= 2);
+ XREALLOC_ARRAY (buffer, Ibyte, buffer_size + 1);
p += buffer - old_buffer;
space_left = buffer_size - (p - buffer);
}
