Tree
- Tree:
d02b6ad8fb67517ebf2e6bfe8bb3cc97e5ca5a61
- Date:
- Message:
- libdraw: fix out-of-bounds access to local buffer in event.c:startrpc() The function `startrpc()` stack allocates a local buffer of size 100: ```c static Muxrpc* startrpc(int type) { uchar buf[100]; ^^^^^^^^ Wsysmsg w; w.type = type; convW2M(&w, buf, sizeof buf); return muxrpcstart(display->mux, buf); } ``` The function `convW2M()` is called passing `buf`. That function accesses `buf` out-of-bounds: ```c uint convW2M(Wsysmsg *m, uchar *p, uint n) { ... case Tcursor2: PUT(p+6, m->cursor.offset.x); PUT(p+10, m->cursor.offset.y); memmove(p+14, m->cursor.clr, sizeof m->cursor.clr); memmove(p+46, m->cursor.set, sizeof m->cursor.set); PUT(p+78, m->cursor2.offset.x); PUT(p+82, m->cursor2.offset.y); memmove(p+86, m->cursor2.clr, sizeof m->cursor2.clr); memmove(p+214, m->cursor2.set, sizeof m->cursor2.set); p[342] = m->arrowcursor; ^^^^^^ ``` To fix the issue the size of local variable `buf` is increased from 100 to 512 to avoid out-of-bounds array access.
README
This directory contains scripts and files that help to run the distribution. mk check.out summarizes problems with the man pages. mk man recreates the HTML version of the man pages mk push copies the HTML pages to 9fans.github.io