[bug #66052] [troff] possible 1-byte stack and heap overruns

[G. Branden Robinson]

Follow-up Comment #2, bug #66052 (group groff):

Hi Lukas,

I believe your first case is indeed a bug, though a relatively pathological
case.  Here's the ChangeLog entry I have pending for it.


2024-08-07  G. Branden Robinson <g.branden.robinson@gmail.com>
                                                                        
        [troff]: Fix Savannah #66052.                                   

        * src/roff/troff/env.cpp (hyphenate): Fix potential one-byte    
        stack overwrite if attempting to hyphenate a 256-character long 
        series of characters within a word.  Reserve space for null     
        terminator in `hbuf` character array.  Initially, this isn't    
        necessary because the array is simply walked to normalize
        hyphenation codes by their equivalence classes.  However, when  
        we subsequently look up the (possibly partial) word in the      
        exception dictionaries, `hbuf` (or a pointer into it) needs to  
        be treatable as a C string, thus null-terminated.  Respell      
        already correct expression later in the code to reinforce
        similarity.

        Fixes <https://savannah.gnu.org/bugs/?66052>.  Thanks to Lukas  
        Javorsky for identifying the problem using "SAST analyzers
        {combination of coverity, snyk, cppcheck, gcc, clang,           
        shellcheck, unicontrol}".




    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?66052>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

signature.asc
Description: PGP signature