shithub: riscv

Download patch

ref: da5c0bada7be9dd82ca1f63e621670143597d3bb
parent: 6cd83e5d246753f2b8691dded4697f858a9cd513
author: cinap_lenrek <[email protected]>
date: Fri Jul 27 05:31:28 EDT 2018

dc: fix off by one in stack overflow check (thanks BurnZeZ)

BurnZeZ → Found a bug in dc(1)
BurnZeZ → Everything breaks when you fill the stack
BurnZeZ → You have stkptr which crap expects to point to an available member in Blk *stack[STKSZ];
BurnZeZ → stkend = &stack[STKSZ];
BurnZeZ → stkptr is allowed to equal stkend
BurnZeZ → So crap that expects stkptr to be pointing to an available Blk ends up dereferencing past the end of the array
BurnZeZ → term% echo `{seq 1 100} f | dc
BurnZeZ → dc 628283: suicide: sys: trap: fault read addr=0xffffe0000040a618 pc=0x204b1c

--- a/sys/src/cmd/dc.c
+++ b/sys/src/cmd/dc.c
@@ -1218,7 +1218,7 @@
 	strptr = salloc(0);
 	divxyz = salloc(0);
 	stkbeg = stkptr = &stack[0];
-	stkend = &stack[STKSZ];
+	stkend = &stack[STKSZ-1];
 	stkerr = 0;
 	readptr = &readstk[0];
 	k=0;