Some more buffer overflows in edit/syntax.c

From: "Andrew V. Samoilov" <andrew email zp ua>
To: proski gnu org
Cc: mc-devel gnome org
Subject: Some more buffer overflows in edit/syntax.c
Date: Thu, 16 Oct 2003 14:14:06 +0300 (EEST)

Hello,

some more checks added for {} and [].

-- 
Regards,
Andrew V. Samoilov.

ChangeLog:

	* syntax.c (compare_word_to_right): Add more checks that we 
	don't go beyond text length for certain invalid rules.

--- syntax.c~	Mon Oct  6 14:41:29 2003
+++ syntax.c	Wed Oct 15 18:06:02 2003
@@ -147,7 +147,7 @@
 		       const char *whole_left, const char *whole_right,
 		       int line_start)
 {
-    unsigned char *p, *q;
+    const unsigned char *p, *q;
     int c, d, j;
     if (!*text)
 	return -1;
@@ -220,12 +220,12 @@
 	    for (;; i++) {
 		d = c;
 		c = edit_get_byte (edit, i);
-		for (j = 0; p[j] != SYNTAX_TOKEN_BRACKET; j++)
+		for (j = 0; p[j] != SYNTAX_TOKEN_BRACKET && p[j]; j++)
 		    if (c == p[j])
 			goto found_char2;
 		break;
 	      found_char2:
-		j = c;		/* dummy command */
+		/* dummy command */
 	    }
 	    i--;
 	    while (*p != SYNTAX_TOKEN_BRACKET && p < q)
@@ -239,12 +239,13 @@
 	    if (++p >= q)
 		return -1;
 	    c = edit_get_byte (edit, i);
-	    for (; *p != SYNTAX_TOKEN_BRACE; p++)
+	    for (; *p != SYNTAX_TOKEN_BRACE && *p; p++)
 		if (c == *p)
 		    goto found_char3;
 	    return -1;
 	  found_char3:
-	    for (; *p != SYNTAX_TOKEN_BRACE && p < q; p++);
+	    while (*p != SYNTAX_TOKEN_BRACE && p < q)
+		 p++;
 	    break;
 	default:
 	    if (*p != edit_get_byte (edit, i))

Follow-Ups:
- Re: Some more buffer overflows in edit/syntax.c
  - From: Pavel Roskin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]