commit 669713d43f8a014ba481265d4c58c3fe575527b4
from: Ray Lai <ray@raylai.com>
via: Gleydson Soares <gsoares@gmail.com>
date: Sat Apr 08 00:04:32 2017 UTC

9term: Add missing parentheses, preventing buffer overflow.

(el-sr) is the string length and (sizeof wdir - strlen(name) - 20)
is the buffer size. When the string length is greater than the
buffer size, the beginning of the string is supposed to be trimmed
to fit in the buffer size. Unfortunately a pair of parentheses were
missing, pointing sr outside the buffer, and the for loop below
then reads outside the buffer. For certain binary data printed in
a window, it causes a segfault.

Change-Id: Iffeaa348260ee2a5a36d9577308fb8d1c1688d05
Reviewed-on: https://plan9port-review.googlesource.com/1540
Reviewed-by: Gleydson Soares <gsoares@gmail.com>

commit - 9f34853f7c6b459fb473d75cb78372406f69d7b2
commit + 669713d43f8a014ba481265d4c58c3fe575527b4
blob - 032f9ded0beccd88fba267a1a7c8be10214ada54
blob + 017d546b47475f45cee0d694a55734cceaff6bb1
--- src/cmd/9term/win.c
+++ src/cmd/9term/win.c
@@ -634,7 +634,7 @@ label(char *sr, int n)
 
 	el = r+1;
 	if(el-sr > sizeof wdir - strlen(name) - 20)
-		sr = el - sizeof wdir - strlen(name) - 20;
+		sr = el - (sizeof wdir - strlen(name) - 20);
 	for(sl=el-3; sl>=sr; sl--)
 		if(sl[0]=='\033' && sl[1]==']' && sl[2]==';')
 			break;