Commit: patch 9.1.0094: xxd: buffer-overflow when writing color output
3 views
Skip to first unread message
Christian Brabandt
Feb 10, 2024, 7:45:09 AM2/10/24
to vim...@googlegroups.com
patch 9.1.0094: xxd: buffer-overflow when writing color output
Commit: https://github.com/vim/vim/commit/00221487731ea1868c57259c7aa0eb713cd7ade7
Author: Goffredo Baroncelli <krei...@inwind.it>
Date: Sat Feb 10 13:31:06 2024 +0100
patch 9.1.0094: xxd: buffer-overflow when writing color output
Problem: xxd: buffer-overflow when writing color output
Solution: properly account for the color escape sequences and
adjust LLEN macro
(Goffredo Baroncelli)
xxd: crash with higer number of column
xxd writes the data into a buffer before printing. Unfortunately
the buffer doesn't consider the space consumed by the escape
sequences used to change the color of the character.
BEFORE:
$ xxd -Ralways -c 256 /etc/passwd
Segmentation fault (core dumped)
AFTER:
$ ./xxd -Ralways -c 256 /etc/passwd
00000000: 726f 6f74 3a78 3a30 3a30 3a72 6f6f 743a 2f72 [...]
To solve this issue I had to increase the size of the buffer
considering for each byte of data 11 further characters for the
color escape sequence.
closes: #14003
Signed-off-by: Goffredo Baroncelli <krei...@libero.it>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/version.c b/src/version.c
index 685f8b0df..598a957ad 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 94,
/**/
93,
/**/
diff --git a/src/xxd/xxd.c b/src/xxd/xxd.c
index a5f5f04ad..cf8b4ea6a 100644
--- a/src/xxd/xxd.c
+++ b/src/xxd/xxd.c
@@ -61,6 +61,7 @@
* 12.01.2024 disable auto-conversion for z/OS (MVS)
* 17.01.2024 use size_t instead of usigned int for code-generation (-i), #13876
* 25.01.2024 revert the previous patch (size_t instead of unsigned int)
+ * 10.02.2024 fix buffer-overflow when writing color output to buffer, #14003
*
* (c) 1990-1998 by Juergen Weigert (jnwe...@gmail.com)
*
@@ -141,7 +142,7 @@ extern void perror __P((char *));
# endif
#endif
-char version[] = "xxd 2024-01-25 by Juergen Weigert et al.";
+char version[] = "xxd 2024-02-10 by Juergen Weigert et al.";
#ifdef WIN32
char osver[] = " (Win32)";
#else
@@ -200,7 +201,33 @@ char osver[] = "";
#define TRY_SEEK /* attempt to use lseek, or skip forward by reading */
#define COLS 256 /* change here, if you ever need more columns */
-#define LLEN ((2*(int)sizeof(unsigned long)) + 4 + (9*COLS-1) + COLS + 2)
+
+/*
+ * LLEN is the maximum length of a line; other than the visible characters
+ * we need to consider also the escape color sequence prologue/epilogue ,
+ * (11 bytes for each character). The most larger format is the default one:
+ * addr + 1 word for each col/2 + 1 char for each col
+ *
+ * addr 1st group 2nd group
+ * +-------+ +-----------------+ +------+
+ * 01234567: 1234 5678 9abc def0 12345678
+ *
+ * - addr: typically 012345678: -> from 10 up to 18 bytes (including trailing
+ * space)
+ * - 1st group: 1234 5678 9abc ... -> each byte may be colored, so add 11
+ * for each byte
+ * - space -> 1 byte
+ * - 2nd group: 12345678 -> each char may be colore so add 11
+ * for each byte
+ * - new line -> 1 byte
+ * - zero (end line) -> 1 byte
+ */
+#define LLEN (2*(int)sizeof(unsigned long) + 2 + /* addr + ": " */ \
+ (11 * 2 + 4 + 1) * (COLS / 2) + /* 1st group */ \
+ 1 + /* space */ \
+ (1 + 11) * COLS + /* 2nd group */ \
+ 1 + /* new line */ \
+ 1) /* zero */
char hexxa[] = "0123456789abcdef0123456789ABCDEF", *hexx = hexxa;
Commit: https://github.com/vim/vim/commit/00221487731ea1868c57259c7aa0eb713cd7ade7
Author: Goffredo Baroncelli <krei...@inwind.it>
Date: Sat Feb 10 13:31:06 2024 +0100
patch 9.1.0094: xxd: buffer-overflow when writing color output
Problem: xxd: buffer-overflow when writing color output
Solution: properly account for the color escape sequences and
adjust LLEN macro
(Goffredo Baroncelli)
xxd: crash with higer number of column
xxd writes the data into a buffer before printing. Unfortunately
the buffer doesn't consider the space consumed by the escape
sequences used to change the color of the character.
BEFORE:
$ xxd -Ralways -c 256 /etc/passwd
Segmentation fault (core dumped)
AFTER:
$ ./xxd -Ralways -c 256 /etc/passwd
00000000: 726f 6f74 3a78 3a30 3a30 3a72 6f6f 743a 2f72 [...]
To solve this issue I had to increase the size of the buffer
considering for each byte of data 11 further characters for the
color escape sequence.
closes: #14003
Signed-off-by: Goffredo Baroncelli <krei...@libero.it>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/version.c b/src/version.c
index 685f8b0df..598a957ad 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 94,
/**/
93,
/**/
diff --git a/src/xxd/xxd.c b/src/xxd/xxd.c
index a5f5f04ad..cf8b4ea6a 100644
--- a/src/xxd/xxd.c
+++ b/src/xxd/xxd.c
@@ -61,6 +61,7 @@
* 12.01.2024 disable auto-conversion for z/OS (MVS)
* 17.01.2024 use size_t instead of usigned int for code-generation (-i), #13876
* 25.01.2024 revert the previous patch (size_t instead of unsigned int)
+ * 10.02.2024 fix buffer-overflow when writing color output to buffer, #14003
*
* (c) 1990-1998 by Juergen Weigert (jnwe...@gmail.com)
*
@@ -141,7 +142,7 @@ extern void perror __P((char *));
# endif
#endif
-char version[] = "xxd 2024-01-25 by Juergen Weigert et al.";
+char version[] = "xxd 2024-02-10 by Juergen Weigert et al.";
#ifdef WIN32
char osver[] = " (Win32)";
#else
@@ -200,7 +201,33 @@ char osver[] = "";
#define TRY_SEEK /* attempt to use lseek, or skip forward by reading */
#define COLS 256 /* change here, if you ever need more columns */
-#define LLEN ((2*(int)sizeof(unsigned long)) + 4 + (9*COLS-1) + COLS + 2)
+
+/*
+ * LLEN is the maximum length of a line; other than the visible characters
+ * we need to consider also the escape color sequence prologue/epilogue ,
+ * (11 bytes for each character). The most larger format is the default one:
+ * addr + 1 word for each col/2 + 1 char for each col
+ *
+ * addr 1st group 2nd group
+ * +-------+ +-----------------+ +------+
+ * 01234567: 1234 5678 9abc def0 12345678
+ *
+ * - addr: typically 012345678: -> from 10 up to 18 bytes (including trailing
+ * space)
+ * - 1st group: 1234 5678 9abc ... -> each byte may be colored, so add 11
+ * for each byte
+ * - space -> 1 byte
+ * - 2nd group: 12345678 -> each char may be colore so add 11
+ * for each byte
+ * - new line -> 1 byte
+ * - zero (end line) -> 1 byte
+ */
+#define LLEN (2*(int)sizeof(unsigned long) + 2 + /* addr + ": " */ \
+ (11 * 2 + 4 + 1) * (COLS / 2) + /* 1st group */ \
+ 1 + /* space */ \
+ (1 + 11) * COLS + /* 2nd group */ \
+ 1 + /* new line */ \
+ 1) /* zero */
char hexxa[] = "0123456789abcdef0123456789ABCDEF", *hexx = hexxa;
Reply all
Reply to author
Forward
0 new messages