htmlroff: fix out of bounds access (thanks Rei-sen, via plan9port)

_readx() uses rune count as its argument and not size, so we should pass nelem() instead of sizeof().
2020-08-01 10:49:29 -07:00 · 2020-08-01 10:49:29 -07:00 · 6dbecfb457
parent 0eb81f7320
commit 6dbecfb457
1 changed files with 2 additions and 2 deletions
--- a/sys/src/cmd/htmlroff/roff.c
+++ b/sys/src/cmd/htmlroff/roff.c
@ -257,7 +257,7 @@ copyarg(void)
 	int c;
 	Rune *r;
 	
-	if(_readx(buf, sizeof buf, ArgMode, 0) < 0)
+	if(_readx(buf, nelem(buf), ArgMode, 0) < 0)
 		return nil;
 	r = runestrstr(buf, L("\\\""));
 	if(r){
@ -280,7 +280,7 @@ readline(int m)
 	static Rune buf[MaxLine];
 	Rune *r;

-	if(_readx(buf, sizeof buf, m, 1) < 0)
+	if(_readx(buf, nelem(buf), m, 1) < 0)
 		return nil;
 	r = erunestrdup(buf);
 	return r;