qemacs-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemacs-commit] qemacs qescript.c

From: Charlie Gordon
Subject: [Qemacs-commit] qemacs qescript.c
Date: Thu, 22 Oct 2020 04:53:41 -0400 (EDT) 
CVSROOT:        /sources/qemacs
Module name:    qemacs
Changes by:     Charlie Gordon <chqrlie>        20/10/22 04:53:41

Modified files:
        .              : qescript.c 

Log message:
        Fixed small issues in qescript:
        
        - fix memory leak in qe_cfg_append()
        - fix potential buffer overflow in qe_cfg_format()

CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/qemacs/qescript.c?cvsroot=qemacs&r1=1.3&r2=1.4

Patches:
Index: qescript.c
===================================================================
RCS file: /sources/qemacs/qemacs/qescript.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -b -r1.3 -r1.4
--- qescript.c  21 Oct 2020 15:01:56 -0000      1.3
+++ qescript.c  22 Oct 2020 08:53:41 -0000      1.4
@@ -116,6 +116,14 @@
     sp->type = TOK_STRING;
 }
 
+static inline void qe_cfg_set_pstr(QEValue *sp, char *str, int len) {
+    if (sp->type & TOK_ALLOC)
+        qe_free(&sp->u.str);
+    sp->u.str = str;
+    sp->len = len;
+    sp->type = TOK_STRING;
+}
+
 static void qe_cfg_init(QEmacsDataSource *ds) {
     memset(ds, 0, sizeof(*ds));
     ds->sp_max = ds->stack;
@@ -144,6 +152,7 @@
     const char *p = *pp;
     int res = 0;
     int pos = 0;
+    int end = size - 1;
     int i, len;
 
     for (;;) {
@@ -187,16 +196,16 @@
                     c = (c << 4) | qe_digit_value(*p);
                 }
                 len = utf8_encode(cbuf, c);
-                for (i = 0; i < len && pos < size; i++)
+                for (i = 0; i < len && pos < end; i++)
                     dest[pos++] = cbuf[i];
                 continue;
             }
         }
         /* XXX: silently truncate overlong string constants */
-        if (pos < size - 1)
+        if (pos < end)
             dest[pos++] = c;
     }
-    if (pos < size)
+    if (pos <= end)
         dest[pos] = '\0';
     *pp = p;
     *plen = pos;
@@ -407,12 +416,13 @@
 
     if (qe_cfg_tostr(ds, sp))
         return 1;
+    /* XXX: should cap length and check for malloc failure */
     new_len = sp->len + len;
     new_p = qe_malloc_array(char, new_len + 1);
     memcpy(new_p, sp->u.str, sp->len);
     memcpy(new_p + sp->len, p, len);
     new_p[new_len] = '\0';
-    qe_cfg_set_str(sp, new_p, new_len);
+    qe_cfg_set_pstr(sp, new_p, new_len);
     return 0;
 }
 
@@ -428,6 +438,7 @@
         return 1;
     len = 0;
 
+    /* XXX: should use buf_xxx */
     for (start = p = sp->u.str;;) {
         p += strcspn(p, "%");
         len += strlen(pstrncpy(buf + len, sizeof(buf) - len, start, p - 
start));
reply via email to
[Prev in Thread] Current Thread [Next in Thread]