From 568beeb2efed5299868585c9bf3c700413cf1a12 Mon Sep 17 00:00:00 2001 From: "G. Branden Robinson" Date: Wed, 7 Aug 2024 01:36:09 -0500 Subject: [PATCH] [troff]: Fix Savannah #66052 (1/2). * src/roff/troff/env.cpp (hyphenate): Fix potential one-byte stack overwrite if attempting to hyphenate a 256-letter sequence within a word. Reserve space for null terminator in `hbuf` character array. Initially, this isn't necessary because the array is simply walked to normalize hyphenation codes by their equivalence classes. However, when we subsequently look up the (possibly partial) word in the exception dictionaries, `hbuf` (or a pointer into it) needs to be treatable as a C string, thus null-terminated. Respell already correct expression later in the code to reinforce similarity. Partially fixes . Thanks to Lukas Javorsky for identifying the problem using "SAST analyzers (combination of coverity, snyk, cppcheck, gcc, clang, shellcheck, unicontrol)". ANNOUNCE: Acknowledge Lukas. --- ANNOUNCE | 1 + ChangeLog | 20 ++++++++++++++++++++ src/roff/troff/env.cpp | 4 ++-- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index fe5d8e794..69117e1e2 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -179,6 +179,7 @@ Heinz-Jürgen Oertel Ian Ropers Ingo Schwarze Lennart Jablonka +Lukas Javorsky Michał Kruszewski Mike Fulton Morten Bo Johansen diff --git a/ChangeLog b/ChangeLog index 349e9b318..bb12c124a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,23 @@ +2024-08-07 G. Branden Robinson + + [troff]: Fix Savannah #66052 (1/2). + + * src/roff/troff/env.cpp (hyphenate): Fix potential one-byte + stack overwrite if attempting to hyphenate a 256-letter sequence + within a word. Reserve space for null terminator in `hbuf` + character array. Initially, this isn't necessary because the + array is simply walked to normalize hyphenation codes by their + equivalence classes. However, when we subsequently look up the + {possibly partial} word in the exception dictionaries, `hbuf` + {or a pointer into it} needs to be treatable as a C string, thus + null-terminated. Respell already correct expression later in + the code to reinforce similarity. + + Fixes (1/2). Thanks to + Lukas Javorsky for identifying the problem using "SAST analyzers + {combination of coverity, snyk, cppcheck, gcc, clang, + shellcheck, unicontrol}". + 2024-08-07 G. Branden Robinson * src/roff/troff/node.cpp (set_font_specific_special_fonts): diff --git a/src/roff/troff/env.cpp b/src/roff/troff/env.cpp index 015d1c172..5e3371cff 100644 --- a/src/roff/troff/env.cpp +++ b/src/roff/troff/env.cpp @@ -4233,7 +4233,7 @@ void hyphenate(hyphen_list *h, unsigned flags) while (h && h->hyphenation_code == 0) h = h->next; int len = 0; - char hbuf[WORD_MAX + 2]; + char hbuf[WORD_MAX + 2 + 1]; char *buf = hbuf + 1; hyphen_list *tem; for (tem = h; tem && len < WORD_MAX; tem = tem->next) { @@ -4293,7 +4293,7 @@ void hyphenate(hyphen_list *h, unsigned flags) } else { hbuf[0] = hbuf[len + 1] = '.'; - int num[WORD_MAX + 3]; + int num[WORD_MAX + 2 + 1]; current_language->patterns.hyphenate(hbuf, len + 2, num); // The position of a hyphenation point gets marked with an odd // number. Example: