Hello, Small OK ping for this one
Thanks for looking if you have time. ----- Forwarded message from Renaud Allard <[email protected]> ----- > From: Renaud Allard <[email protected]> > To: [email protected] > Subject: rs(1): heap buffer overread in column counting loop > Date: Tue, 31 Mar 2026 15:12:25 +0200 > > The column counting loop in getfile() reads one byte past the > end of curline when the input line does not end with a separator. > > The inner while loop advances p to the null terminator: > > for (p = curline; *p != '\0'; p++) { > ... > while (*p && *p != isep) > p++; > } > > When the inner while exits because *p == '\0', the for loop's > p++ increment advances p past the null terminator. The subsequent > *p != '\0' check in the for condition reads one byte past the > allocated buffer. > > Fix: break out of the for loop when the inner while exits on > the null terminator, before the for increment advances past it. > > Found by AFL++ fuzzing. > > Index: usr.bin/rs/rs.c > =================================================================== > RCS file: /cvs/src/usr.bin/rs/rs.c,v > retrieving revision 1.30 > diff -u -p -r1.30 rs.c > --- usr.bin/rs/rs.c 3 Dec 2015 12:23:15 -0000 1.30 > +++ usr.bin/rs/rs.c > @@ -146,6 +146,8 @@ getfile(void) > icols++; > while (*p && *p != isep) > p++; > + if (*p == '\0') > + break; > } > ep = getptrs(NULL); > p = curline; > ----- End forwarded message -----
