From edc602651c506aeeb60544b55534dd1722a340d3 Mon Sep 17 00:00:00 2001

From: Rene Kita <mail@rkta.de>

Date: Thu, 13 Jul 2023 07:50:26 +0200

Subject: [PATCH] Fix OOB access due to multiple backspaces

Commit 419ca82d57 (Fix m17n backspace handling causes out-of-bounds

write in checkType) introduced an incomplete fix.

In function checkType we store the length of the previous multi-char

character in a buffer plens_buffer with pointer plens pointing to the

current position inside the buffer. When encountering a backspace plens

is set to the previous position without a bounds check. This will lead

to plens being out of bounds if we get more backspaces than we have

processed multi-char characters before.

If we are at the beginning of the buffer do not decrement and set plen

(the current length) to 0.

This also fixes GH Issue #270 [BUG] Out of bound read in Strnew_size ,

Str.c:61

If the above explanation does sound weird it's because I didn't fully

grok that function. :-)

---

 etc.c | 10 ++++++++--

 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/etc.c b/etc.c

index 128717b18..b56615136 100644

--- a/etc.c

+++ b/etc.c

@@ -393,7 +393,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)

 			    if (color)

 				color -= plen;

 #endif

-			    plen = *(--plens);

+			    if (plens == plens_buffer)

+				plen = 0;

+			    else

+				plen = *(--plens);

 			    str += 2;

 			}

 		    }

@@ -419,7 +422,10 @@ checkType(Str s, Lineprop **oprop, Linecolor **ocolor)

 			    if (color)

 				color -= plen;

 #endif

-			    plen = *(--plens);

+			    if (plens == plens_buffer)

+				plen = 0;

+			    else

+				plen = *(--plens);

 			    str++;

 			}

 #else