From 9e27ee094c25873c71da6488d7926c621c115c68 Mon Sep 17 00:00:00 2001 From: Ori Bernstein Date: Sat, 1 Aug 2020 10:54:03 -0700 Subject: [PATCH] deroff: fix out-of-bounds access if runes above 0X80 are inside EQ clauses (thanks mmnmnnmnmm, via plan9port) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Characters greater than 0X80 will cause a read beyond the bounds of the array chars[]. For particular unicode characters this can cause deroff to segfault. A minimal example: $ deroff .EQ u∈ Segmentation fault Throughout deroff, charclass() is used instead of directly indexing chars[] so I presume this was just missed. --- sys/src/cmd/deroff.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/src/cmd/deroff.c b/sys/src/cmd/deroff.c index 914c5a3f5..ce0cee95b 100644 --- a/sys/src/cmd/deroff.c +++ b/sys/src/cmd/deroff.c @@ -745,7 +745,7 @@ eqn(void) } if(c != '\n') while(C1 != '\n') { - if(chars[c] == PUNCT) + if(charclass(c) == PUNCT) last = c; else if(c != ' ')