Page MenuHomeFreeBSD
Differential D57913

ee: Bound the number of bytes we'll skip in utf8_prev()
Needs ReviewPublic
Actions

Authored by markj on Sat, Jun 27, 7:46 PM.

Details

Reviewers
bapt
Group Reviewers
secteam
Summary

utf8_prev() will walk backwards unless it sees a non-continuation byte,
but this is dangerous in the face of malformed UTF-8 input. In
particular, delete() will copy the skipped-over bytes into a
heap-allocated buffer, d_char, which is fixed at 5 bytes.

Make utf8_prev() refuse to step more than four bytes backward, to avoid
the overflow in delete().

Fixes: 62fba0054d9e ("ee: add unicode support")
Reported by: Sayono Hiragi

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 74336
Build 71219: arc lint + arc unit

Event Timeline

markj created this revision.Sat, Jun 27, 7:46 PM
Herald added a subscriber: imp. · View Herald TranscriptSat, Jun 27, 7:46 PM
markj requested review of this revision.Sat, Jun 27, 7:46 PM
Harbormaster completed remote builds in B74336: Diff 180833.Sat, Jun 27, 7:46 PM
markj added a comment.Sat, Jun 27, 7:57 PM

Thinking a bit more, this is maybe not the right solution, delete() should perhaps handle invalid sequences instead.

des added a subscriber: des.Sat, Jun 27, 8:01 PM
des added inline comments.
contrib/ee/ee.c
245–247

de gustibus et coloribus non est disputandum, but I find this a little more readable.

des added a comment.Sat, Jun 27, 8:02 PM
In D57913#1327627, @markj wrote:

Thinking a bit more, this is maybe not the right solution, delete() should perhaps handle invalid sequences instead.

I was thinking along the same lines, because although utf8_prev() is now safe, it no longer does what it promises.

des added a comment.Sat, Jun 27, 8:03 PM
In D57913#1327630, @des wrote:
In D57913#1327627, @markj wrote:

Thinking a bit more, this is maybe not the right solution, delete() should perhaps handle invalid sequences instead.

I was thinking along the same lines, because although utf8_prev() is now safe, it no longer does what it promises.

d_char is allocated, so nothing prevents us from reallocating it (keeping track of its size of course) if we need to delete more than five bytes.

Revision Contents
Changeset List

PathSize
contrib/
ee/
5 lines

Diff 180833

View Options

contrib/ee/ee.c

Loading...