On Fri Jun 20 06:24:25 EDT 2014, p...@fb.com wrote:
good catch, but...

> The code in kbdputsc() in kbd.c does not look very safe:
> 
>               kbscan->kc[kbscan->nk++] = c; <--------- no bound checking, can 
> overflow.

this behavior depends entirely on what latin1() does.  if
latin1() will always consume the array before kbscan->nk reaches
some bound, then extra checking here wouldn't change anything.

and that's the case.  (read port/latin1.c for details).

the real problem is that kc should be strlen("x10ffff") = 7.
(sources is wrong here, too, UTFmax*2+1 = 9, which would
allow for x1000ffff, which is not a rune)

- erik

ps: the bug was introduced here

Apr 30 16:05:23 EDT 2013 /n/sourcesdump/2014/0620/plan9/sys/src/9/port/latin1.c 
1570

pps: 9atom patch applied /n/atom/patch/applied/collectlen

Reply via email to