in display_string(), fix memory corruption problems caused by not

allocating enough space for converted when a line ends in a tab(s) and we're not in UTF-8 mode git-svn-id: svn://svn.savannah.gnu.org/nano/trunk/nano@3272 35c25a1d-7b9e-4130-9fde-d3aeb78583b8
2006-02-03 03:58:49 +00:00 · 2006-02-03 03:58:49 +00:00 · 114cfb63f4
parent 1f104f8079
commit 114cfb63f4
2 changed files with 31 additions and 6 deletions
--- a/3
+++ b/3
@ -37,6 +37,9 @@ CVS code -
 	  Mike Frysinger)
  display_string()
 	- Fix minor memory leak. (DLR)
+	- Fix memory corruption problems caused by not allocating enough
+	  space for converted when a line ends in a tab(s) and we're not
+	  in UTF-8 mode. (DLR, found by Nick Warne and Mike Frysinger)
 - doc/nano.1:
 	- Better display the default values for quotestr. (DLR)
 - doc/nanorc.5:
--- a/src/winio.c
+++ b/src/winio.c
@ -1809,10 +1809,22 @@ char *display_string(const char *buf, size_t start_col, size_t len, bool

    assert(column <= start_col);

-    /* Allocate enough space for the entire line. */
-    alloc_len = (mb_cur_max() * (COLS + 1));
+    /* Make sure there's enough room for the initial character, whether
+     * it's a multibyte control character, a non-control multibyte
+     * character, a tab character, or a null terminator.  Rationale:
+     *
+     * multibyte control character followed by a null terminator:
+     *     1 byte ('^') + mb_cur_max() bytes + 1 byte ('\0')
+     * multibyte non-control character followed by a null terminator:
+     *     mb_cur_max() bytes + 1 byte ('\0')
+     * tab character followed by a null terminator:
+     *     mb_cur_max() bytes + (tabsize - 1) bytes + 1 byte ('\0')
+     *
+     * Since tabsize has a minimum value of 1, it can substitute for 1
+     * byte above. */
+    alloc_len = (mb_cur_max() + tabsize + 1) * MAX_BUF_SIZE;
+    converted = charalloc(alloc_len);

-    converted = charalloc(alloc_len + 1);
    index = 0;

    if (buf[start_index] != '\t' && (column < start_col || (dollars &&
@ -1849,9 +1861,17 @@ char *display_string(const char *buf, size_t start_col, size_t len, bool
 #endif
    }

-    while (index < alloc_len - 1 && buf[start_index] != '\0') {
+    while (buf[start_index] != '\0') {
 	buf_mb_len = parse_mbchar(buf + start_index, buf_mb, NULL);

+	/* Make sure there's enough room for the next character, whether
+	 * it's a multibyte control character, a non-control multibyte
+	 * character, a tab character, or a null terminator. */
+	if (index + mb_cur_max() + tabsize + 1 >= alloc_len - 1) {
+	    alloc_len += (mb_cur_max() + tabsize + 1) * MAX_BUF_SIZE;
+	    converted = charealloc(converted, alloc_len);
+	}
+
 	/* If buf contains a tab character, interpret it. */
 	if (*buf_mb == '\t') {
 #if !defined(NANO_TINY) && defined(ENABLE_NANORC)
@ -1923,8 +1943,10 @@ char *display_string(const char *buf, size_t start_col, size_t len, bool

    free(buf_mb);

-    if (index < alloc_len - 1)
-	converted[index] = '\0';
+    assert(alloc_len >= index + 1);
+
+    /* Null terminate converted. */
+    converted[index] = '\0';

    /* Make sure converted takes up no more than len columns. */
    index = actual_x(converted, len);