Bug 16271
| Summary: | vi has wrong len type in re_tag_conv() | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Jin Guojun <jin> |
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Unspecified | ||
| Hardware: | Any | ||
| OS: | Any | ||
On Thu, 30 Mar 2000 21:44:22 PST, Jin Guojun wrote:
> This problem also exists in 4.0 release. The patch is very simple,
> and the concept is clear. Can we fix this problem with apply the
> following patch?
I don't think so, because that file is on the vendor branch. This fix
should be submitted to keith Bostic, nvi's maintainer. If he agrees
that the next release of nvi will include this patch exactly, then we
can probably do some magic.
Ciao,
Sheldon.
> > This problem also exists in 4.0 release. The patch is very simple,
> > and the concept is clear. Can we fix this problem with apply the
> > following patch?
>
> I don't think so, because that file is on the vendor branch. This fix
> should be submitted to keith Bostic, nvi's maintainer. If he agrees
> that the next release of nvi will include this patch exactly, then we
> can probably do some magic.
Then, how can I contact keith Bostic?
Has he been notified for this problem yet?
-Jin
On Fri, 31 Mar 2000 07:54:39 PST, Jin Guojun wrote: > > I don't think so, because that file is on the vendor branch. This fix > > should be submitted to keith Bostic, nvi's maintainer. If he agrees > > that the next release of nvi will include this patch exactly, then we > > can probably do some magic. > > Then, how can I contact keith Bostic? His e-mail address is bostic@bostic.com . > Has he been notified for this problem yet? I don't know. Best contact him directly. Ciao, Sheldon. ---------- Forwarded message ---------- Date: Thu, 30 Mar 2000 21:44:22 -0800 (PST) From: Jin Guojun <jin@george.lbl.gov> To: freebsd-bugs@FreeBSD.ORG Subject: re: bin/16271 This problem also exists in 4.0 release. The patch is very simple, and the concept is clear. Can we fix this problem with apply the following patch? Thanks, -Jin } Description } } an unsinged len is used to compare with signed expression, } this causes core dump because the (len > 0) always true, } so loop never ends. } patch: *** contrib/nvi/ex/ex_subst.c Thu Oct 31 22:45:30 1996 --- /tmp/ex_subst.c.new Thu Mar 30 21:35:24 2000 *************** *** 1177,1183 **** size_t *plenp; int *replacedp; { ! size_t blen, len; int lastdollar; char *bp, *p, *t; --- 1177,1184 ---- size_t *plenp; int *replacedp; { ! size_t blen; ! int len; int lastdollar; char *bp, *p, *t; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message State Changed From-To: open->closed Originator was adviced to contact vendor; nvi, in this case. |
an unsinged len is used to compare with signed expression, this causes core dump because the (len > 0) always true, so loop never ends. Fix: Change the len type from size_t to int, i.e., move len from line 1180 to line 1181. How-To-Repeat: Look at the code contrib/nvi/ex/ex_subst.c: ... static int re_tag_conv(sp, ptrnp, plenp, replacedp) SCR *sp; char **ptrnp; size_t *plenp; int *replacedp; { size_t blen, len; !!!!!!!!!!!! line 1180 !!!!!!!!! int lastdollar; char *bp, *p, *t; len = *plenp; /* Max memory usage is 2 times the length of the string. */ *replacedp = 1; GET_SPACE_RET(sp, bp, blen, len * 2); p = *ptrnp; t = bp; /* If the last character is a '/' or '?', we just strip it. */ if (len > 0 && (p[len - 1] == '/' || p[len - 1] == '?')) --len; /* If the next-to-last or last character is a '$', it's magic. */ if (len > 0 && p[len - 1] == '$') { --len; lastdollar = 1; } else lastdollar = 0; /* If the first character is a '/' or '?', we just strip it. */ if (len > 0 && (p[0] == '/' || p[0] == '?')) { ++p; --len; } /* If the first or second character is a '^', it's magic. */ if (p[0] == '^') { *t++ = *p++; --len; } /* * Escape every other magic character we can find, meanwhile stripping * the backslashes ctags inserts when escaping the search delimiter * characters. */ for (; len > 0; --len) { !!!!!! line 1221 !!!!!!!! if (p[0] == '\\' && (p[1] == '/' || p[1] == '?')) { ++p; --len; } else if (strchr("^.[]$*", p[0])) *t++ = '\\'; *t++ = *p++; } if (lastdollar)