[troff]: Fix Savannah #66052 (1/2).

* src/roff/troff/env.cpp (hyphenate): Fix potential one-byte stack overwrite if attempting to hyphenate a 256-letter sequence within a word. Reserve space for null terminator in `hbuf` character array. Initially, this isn't necessary because the array is simply walked to normalize hyphenation codes by their equivalence classes. However, when we subsequently look up the (possibly partial) word in the exception dictionaries, `hbuf` (or a pointer into it) needs to be treatable as a C string, thus null-terminated. Respell already correct expression later in the code to reinforce similarity. Partially fixes <https://savannah.gnu.org/bugs/?66052>. Thanks to Lukas Javorsky for identifying the problem using "SAST analyzers (combination of coverity, snyk, cppcheck, gcc, clang, shellcheck, unicontrol)". ANNOUNCE: Acknowledge Lukas.
2026-01-26 15:39:07 +00:00 · 2024-08-07 01:36:09 -05:00 · 2024-08-07 01:36:09 -05:00 · 568beeb2ef
commit 568beeb2ef
parent 118cc27879
3 changed files with 23 additions and 2 deletions
--- a/1
+++ b/1
@ -179,6 +179,7 @@ Heinz-Jürgen Oertel
 Ian Ropers
 Ingo Schwarze
 Lennart Jablonka
+Lukas Javorsky
 Michał Kruszewski
 Mike Fulton
 Morten Bo Johansen
--- a/20
+++ b/20
@ -1,3 +1,23 @@
+2024-08-07  G. Branden Robinson <g.branden.robinson@gmail.com>
+
+	[troff]: Fix Savannah #66052 (1/2).
+
+	* src/roff/troff/env.cpp (hyphenate): Fix potential one-byte
+	stack overwrite if attempting to hyphenate a 256-letter sequence
+	within a word.  Reserve space for null terminator in `hbuf`
+	character array.  Initially, this isn't necessary because the
+	array is simply walked to normalize hyphenation codes by their
+	equivalence classes.  However, when we subsequently look up the
+	{possibly partial} word in the exception dictionaries, `hbuf`
+	{or a pointer into it} needs to be treatable as a C string, thus
+	null-terminated.  Respell already correct expression later in
+	the code to reinforce similarity.
+
+	Fixes <https://savannah.gnu.org/bugs/?66052> (1/2).  Thanks to
+	Lukas Javorsky for identifying the problem using "SAST analyzers
+	{combination of coverity, snyk, cppcheck, gcc, clang,
+	shellcheck, unicontrol}".
+
 2024-08-07  G. Branden Robinson <g.branden.robinson@gmail.com>

 	* src/roff/troff/node.cpp (set_font_specific_special_fonts):
--- a/src/roff/troff/env.cpp
+++ b/src/roff/troff/env.cpp
@ -4233,7 +4233,7 @@ void hyphenate(hyphen_list *h, unsigned flags)
    while (h && h->hyphenation_code == 0)
      h = h->next;
    int len = 0;
-    char hbuf[WORD_MAX + 2];
+    char hbuf[WORD_MAX + 2 + 1];
    char *buf = hbuf + 1;
    hyphen_list *tem;
    for (tem = h; tem && len < WORD_MAX; tem = tem->next) {
@ -4293,7 +4293,7 @@ void hyphenate(hyphen_list *h, unsigned flags)
 	}
 	else {
 	  hbuf[0] = hbuf[len + 1] = '.';
-	  int num[WORD_MAX + 3];
+	  int num[WORD_MAX + 2 + 1];
 	  current_language->patterns.hyphenate(hbuf, len + 2, num);
 	  // The position of a hyphenation point gets marked with an odd
 	  // number.  Example: