ref: 6dbecfb457d1625687f2338696c2b8195c831ae4
parent: 0eb81f732044895cf09c763bf5b63a54b29f6461
author: Ori Bernstein <ori@eigenstate.org>
date: Sat Aug 1 06:49:29 EDT 2020
htmlroff: fix out of bounds access (thanks Rei-sen, via plan9port) _readx() uses rune count as its argument and not size, so we should pass nelem() instead of sizeof().
--- a/sys/src/cmd/htmlroff/roff.c
+++ b/sys/src/cmd/htmlroff/roff.c
@@ -257,7 +257,7 @@
int c;
Rune *r;
- if(_readx(buf, sizeof buf, ArgMode, 0) < 0)
+ if(_readx(buf, nelem(buf), ArgMode, 0) < 0)
return nil;
r = runestrstr(buf, L("\\\"")); if(r){@@ -280,7 +280,7 @@
static Rune buf[MaxLine];
Rune *r;
- if(_readx(buf, sizeof buf, m, 1) < 0)
+ if(_readx(buf, nelem(buf), m, 1) < 0)
return nil;
r = erunestrdup(buf);
return r;