database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-30 16:24:05 +03:00
Code Activity

Bug#20318154 : NEGATIVE ARRAY INDEX WRITE V2

Browse Source 
Description:- There is a possibility of negative array index
write associated with the function "terminal_writec()". This
is due to the assumption that there is a possibility of
getting -1 return value from the function call
"ct_visual_char()".

Analysis:- The function "terminal_writec()" is called only
from "em_delete_or_list()" and "vi_list_or_eof()" and both
these functions deal with the "^D" (ctrl+D) signal. So the
"size_t len" and "Char c" passed to "ct_visual_char()" (when
called from "terminal_writec()") is always 8 (macro
VISUAL_WIDTH_MAX is passed whose value is 8) and 4 (ASCII
value for "^D"/"ctrl+D") respectively.
Since the value of "c" is 4, "ct_chr_class()" returns -1
(macro CHTYPE_ASCIICTL is associated with -1 value). And
since value of "len" is 8, "ct_visual_char()" will always
return 2 when it is called from "terminal_writec()".
So there is no possible case so that we encounter a negative
array index write in "terminal_writec()". But since there is
a rare posibility of using "terminal_writec()" in future
enhancements, it is good handle the error case as well.

Fix:- A condition is added in "terminal_writec()" to check
whether "ct_visual_char()" is returning -1 or not. If the
return value is -1, then value 0 is returned to its calling
function "em_delete_or_list()" or "vi_list_or_eof()", which
in turn will return CC_ERROR.

NOTE:- No testcase is added since currently there is no
possible scenario to encounter this error case.
This commit is contained in:
Arun Kuruvila
2015-04-24 11:30:13 +05:30
parent 3300823ca3
commit eb79ead4f0
4 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
cmd-line-utils/libedit/terminal.c
View File

@ -1,7 +1,7 @@
/* $NetBSD: terminal.c,v 1.10 2011/10/04 15:27:04 christos Exp $ */
/*-
* Copyright (c) 1992, 1993
* Copyright (c) 1992, 2015
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
@ -1271,14 +1271,19 @@ terminal__flush(EditLine *el)
/* terminal_writec():
* Write the given character out, in a human readable form
*/
protected void
protected int
terminal_writec(EditLine *el, Int c)
{
Char visbuf[VISUAL_WIDTH_MAX +1];
ssize_t vcnt = ct_visual_char(visbuf, VISUAL_WIDTH_MAX, c);
visbuf[vcnt] = '\0';
terminal_overwrite(el, visbuf, (size_t)vcnt);
terminal__flush(el);
if(vcnt == -1)
return 1; /* Error due to insufficient space */
else {
visbuf[vcnt] = '\0';
terminal_overwrite(el, visbuf, (size_t)vcnt);
terminal__flush(el);
return 0;
}
}