On Fri Jun 20 06:24:25 EDT 2014, p...@fb.com wrote: good catch, but... > The code in kbdputsc() in kbd.c does not look very safe: > > kbscan->kc[kbscan->nk++] = c; <--------- no bound checking, can > overflow.
this behavior depends entirely on what latin1() does. if latin1() will always consume the array before kbscan->nk reaches some bound, then extra checking here wouldn't change anything. and that's the case. (read port/latin1.c for details). the real problem is that kc should be strlen("x10ffff") = 7. (sources is wrong here, too, UTFmax*2+1 = 9, which would allow for x1000ffff, which is not a rune) - erik ps: the bug was introduced here Apr 30 16:05:23 EDT 2013 /n/sourcesdump/2014/0620/plan9/sys/src/9/port/latin1.c 1570 pps: 9atom patch applied /n/atom/patch/applied/collectlen