From b49a4ffc9493a9819495c793cbdd18bab81f7bf3 Mon Sep 17 00:00:00 2001 From: Pascal Stumpf Date: Thu, 22 Nov 2012 14:27:26 +0100 Subject: [PATCH] Keep track of the length of the string in ExpandVariables(). On OpenBSD, the 'S' option to malloc(3) enables guard pages (among other things). This loop could have triggered this trap when reading beyond the buffer. Also, the whole "while(*ip)" construct was based on the assumption that the memory after the string is always zero-filled. --- cde/programs/dtdocbook/instant/translate.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cde/programs/dtdocbook/instant/translate.c b/cde/programs/dtdocbook/instant/translate.c index cb012702..95983353 100644 --- a/cde/programs/dtdocbook/instant/translate.c +++ b/cde/programs/dtdocbook/instant/translate.c @@ -197,14 +197,17 @@ ExpandVariables( char *def_val, *s, *atval, *modifier; char vbuf[500]; int lev; + size_t len = 0, totlen; ip = in; op = out; - while (*ip) { + totlen = strlen(ip); + while (totlen >= len && *ip) { /* start of regular variable? */ if (*ip == VDELIM && *(ip+1) == L_CURLY && *(ip+2) != '_') { ip++; ip++; /* point at variable name */ + len + 2; vp = vbuf; /* Look for matching (closing) curly. (watch for nesting) * We store the variable content in a tmp buffer, so we don't @@ -216,11 +219,13 @@ ExpandVariables( if (*ip == R_CURLY) { if (lev == 0) { ip++; + len++; break; } else lev--; } *vp++ = *ip++; /* copy to variable buffer */ + len++; } *vp = EOS; /* vbuf now contains the variable name (stuff between curlys). */ @@ -270,6 +275,7 @@ ExpandVariables( } } *op++ = *ip++; + len++; } *op = EOS; /* terminate string */ } -- 2.25.1