On Fri Jun 20 06:24:25 EDT 2014, p...@fb.com wrote:
good catch, but...
> The code in kbdputsc() in kbd.c does not look very safe:
>
> kbscan->kc[kbscan->nk++] = c; <--------- no bound checking, can
> overflow.
this behavior depends entirely on what latin1() does. if
latin1() will always consume the array before kbscan->nk reaches
some bound, then extra checking here wouldn't change anything.
and that's the case. (read port/latin1.c for details).
the real problem is that kc should be strlen("x10ffff") = 7.
(sources is wrong here, too, UTFmax*2+1 = 9, which would
allow for x1000ffff, which is not a rune)
- erik
ps: the bug was introduced here
Apr 30 16:05:23 EDT 2013 /n/sourcesdump/2014/0620/plan9/sys/src/9/port/latin1.c
1570
pps: 9atom patch applied /n/atom/patch/applied/collectlen
