diff --git a/ANNOUNCE b/ANNOUNCE index fe5d8e794..69117e1e2 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -179,6 +179,7 @@ Heinz-Jürgen Oertel Ian Ropers Ingo Schwarze Lennart Jablonka +Lukas Javorsky Michał Kruszewski Mike Fulton Morten Bo Johansen diff --git a/ChangeLog b/ChangeLog index 349e9b318..bb12c124a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,23 @@ +2024-08-07 G. Branden Robinson + + [troff]: Fix Savannah #66052 (1/2). + + * src/roff/troff/env.cpp (hyphenate): Fix potential one-byte + stack overwrite if attempting to hyphenate a 256-letter sequence + within a word. Reserve space for null terminator in `hbuf` + character array. Initially, this isn't necessary because the + array is simply walked to normalize hyphenation codes by their + equivalence classes. However, when we subsequently look up the + {possibly partial} word in the exception dictionaries, `hbuf` + {or a pointer into it} needs to be treatable as a C string, thus + null-terminated. Respell already correct expression later in + the code to reinforce similarity. + + Fixes (1/2). Thanks to + Lukas Javorsky for identifying the problem using "SAST analyzers + {combination of coverity, snyk, cppcheck, gcc, clang, + shellcheck, unicontrol}". + 2024-08-07 G. Branden Robinson * src/roff/troff/node.cpp (set_font_specific_special_fonts): diff --git a/src/roff/troff/env.cpp b/src/roff/troff/env.cpp index 015d1c172..5e3371cff 100644 --- a/src/roff/troff/env.cpp +++ b/src/roff/troff/env.cpp @@ -4233,7 +4233,7 @@ void hyphenate(hyphen_list *h, unsigned flags) while (h && h->hyphenation_code == 0) h = h->next; int len = 0; - char hbuf[WORD_MAX + 2]; + char hbuf[WORD_MAX + 2 + 1]; char *buf = hbuf + 1; hyphen_list *tem; for (tem = h; tem && len < WORD_MAX; tem = tem->next) { @@ -4293,7 +4293,7 @@ void hyphenate(hyphen_list *h, unsigned flags) } else { hbuf[0] = hbuf[len + 1] = '.'; - int num[WORD_MAX + 3]; + int num[WORD_MAX + 2 + 1]; current_language->patterns.hyphenate(hbuf, len + 2, num); // The position of a hyphenation point gets marked with an odd // number. Example: