patch 9.1.0094: xxd: buffer-overflow when writing color output Commit: https://github.com/vim/vim/commit/00221487731ea1868c57259c7aa0eb713cd7ade7 Author: Goffredo Baroncelli <kreij...@inwind.it> Date: Sat Feb 10 13:31:06 2024 +0100
patch 9.1.0094: xxd: buffer-overflow when writing color output Problem: xxd: buffer-overflow when writing color output Solution: properly account for the color escape sequences and adjust LLEN macro (Goffredo Baroncelli) xxd: crash with higer number of column xxd writes the data into a buffer before printing. Unfortunately the buffer doesn't consider the space consumed by the escape sequences used to change the color of the character. BEFORE: $ xxd -Ralways -c 256 /etc/passwd Segmentation fault (core dumped) AFTER: $ ./xxd -Ralways -c 256 /etc/passwd 00000000: 726f 6f74 3a78 3a30 3a30 3a72 6f6f 743a 2f72 [...] To solve this issue I had to increase the size of the buffer considering for each byte of data 11 further characters for the color escape sequence. closes: #14003 Signed-off-by: Goffredo Baroncelli <kreij...@libero.it> Signed-off-by: Christian Brabandt <c...@256bit.org> diff --git a/src/version.c b/src/version.c index 685f8b0df..598a957ad 100644 --- a/src/version.c +++ b/src/version.c @@ -704,6 +704,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 94, /**/ 93, /**/ diff --git a/src/xxd/xxd.c b/src/xxd/xxd.c index a5f5f04ad..cf8b4ea6a 100644 --- a/src/xxd/xxd.c +++ b/src/xxd/xxd.c @@ -61,6 +61,7 @@ * 12.01.2024 disable auto-conversion for z/OS (MVS) * 17.01.2024 use size_t instead of usigned int for code-generation (-i), #13876 * 25.01.2024 revert the previous patch (size_t instead of unsigned int) + * 10.02.2024 fix buffer-overflow when writing color output to buffer, #14003 * * (c) 1990-1998 by Juergen Weigert (jnwei...@gmail.com) * @@ -141,7 +142,7 @@ extern void perror __P((char *)); # endif #endif -char version[] = "xxd 2024-01-25 by Juergen Weigert et al."; +char version[] = "xxd 2024-02-10 by Juergen Weigert et al."; #ifdef WIN32 char osver[] = " (Win32)"; #else @@ -200,7 +201,33 @@ char osver[] = ""; #define TRY_SEEK /* attempt to use lseek, or skip forward by reading */ #define COLS 256 /* change here, if you ever need more columns */ -#define LLEN ((2*(int)sizeof(unsigned long)) + 4 + (9*COLS-1) + COLS + 2) + +/* + * LLEN is the maximum length of a line; other than the visible characters + * we need to consider also the escape color sequence prologue/epilogue , + * (11 bytes for each character). The most larger format is the default one: + * addr + 1 word for each col/2 + 1 char for each col + * + * addr 1st group 2nd group + * +-------+ +-----------------+ +------+ + * 01234567: 1234 5678 9abc def0 12345678 + * + * - addr: typically 012345678: -> from 10 up to 18 bytes (including trailing + * space) + * - 1st group: 1234 5678 9abc ... -> each byte may be colored, so add 11 + * for each byte + * - space -> 1 byte + * - 2nd group: 12345678 -> each char may be colore so add 11 + * for each byte + * - new line -> 1 byte + * - zero (end line) -> 1 byte + */ +#define LLEN (2*(int)sizeof(unsigned long) + 2 + /* addr + ": " */ \ + (11 * 2 + 4 + 1) * (COLS / 2) + /* 1st group */ \ + 1 + /* space */ \ + (1 + 11) * COLS + /* 2nd group */ \ + 1 + /* new line */ \ + 1) /* zero */ char hexxa[] = "0123456789abcdef0123456789ABCDEF", *hexx = hexxa; -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/E1rYmj9-006yta-Q4%40256bit.org.