xfnw/plan9fox
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

dc: fix off by one in stack overflow check (thanks BurnZeZ)

Browse source 
BurnZeZ → Found a bug in dc(1)
BurnZeZ → Everything breaks when you fill the stack
BurnZeZ → You have stkptr which crap expects to point to an available member in Blk *stack[STKSZ];
BurnZeZ → stkend = &stack[STKSZ];
BurnZeZ → stkptr is allowed to equal stkend
BurnZeZ → So crap that expects stkptr to be pointing to an available Blk ends up dereferencing past the end of the array
BurnZeZ → term% echo `{seq 1 100} f | dc
BurnZeZ → dc 628283: suicide: sys: trap: fault read addr=0xffffe0000040a618 pc=0x204b1c
This commit is contained in:
cinap_lenrek 2018-07-27 09:31:28 +02:00
parent 6cd83e5d24
commit da5c0bada7
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
sys/src/cmd/dc.c
View file

@ -1218,7 +1218,7 @@ init(int argc, char *argv[])
strptr = salloc(0); strptr = salloc(0);
divxyz = salloc(0); divxyz = salloc(0);
stkbeg = stkptr = &stack[0]; stkbeg = stkptr = &stack[0];
stkend = &stack[STKSZ]; stkend = &stack[STKSZ-1];
stkerr = 0; stkerr = 0;
readptr = &readstk[0]; readptr = &readstk[0];
k=0; k=0;