[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heap-buffer-overflow in history_expand
|
From: |
Grisha Levit |
|
Subject: |
Re: heap-buffer-overflow in history_expand |
|
Date: |
Thu, 25 May 2023 18:10:56 -0400 |
On Mon, May 1, 2023 at 11:48 AM Chet Ramey <chet.ramey@case.edu> wrote:
> Yes, I concluded the same thing. Thanks for the patch. I have one question
> about the change to rl_insert: why overwrite any return value from the
> initial call to _rl_insert_char by setting r back to 0? What if the initial
> value of C starts an incomplete multibyte character, and is then followed
> by a character that doesn't contribute?
You're right, that was a mistake, I missed the presence of that
initial _rl_insert_char call.
I noticed a couple of other bits missing from the patch as applied
though. (The first because pending_bytes_length is not defined
without HANDLE_MULTIBYTE, the second to have quoted insert work
without a negative argument).
---
diff --git a/lib/readline/text.c b/lib/readline/text.c
index b07ff470..e3e5bb9e 100644
--- a/lib/readline/text.c
+++ b/lib/readline/text.c
@@ -853,7 +853,11 @@ _rl_insert_char (int count, int c)
rl_insert_text (string);
xfree (string);
+#if defined (HANDLE_MULTIBYTE)
return (pending_bytes_length != 0);
+#else
+ return 0;
+#endif
}
if (count > TEXT_COUNT_MAX)
@@ -1112,6 +1116,8 @@ rl_quoted_insert (int count, int key)
r = _rl_insert_next (1);
while (r == 0 && ++count < 0);
}
+ else
+ r = _rl_insert_next (count);
if (r == 1)
_rl_insert_char (0, 0); /* insert partial multibyte character */