ref: da5c0bada7be9dd82ca1f63e621670143597d3bb
parent: 6cd83e5d246753f2b8691dded4697f858a9cd513
author: cinap_lenrek <[email protected]>
date: Fri Jul 27 05:31:28 EDT 2018
dc: fix off by one in stack overflow check (thanks BurnZeZ) BurnZeZ → Found a bug in dc(1) BurnZeZ → Everything breaks when you fill the stack BurnZeZ → You have stkptr which crap expects to point to an available member in Blk *stack[STKSZ]; BurnZeZ → stkend = &stack[STKSZ]; BurnZeZ → stkptr is allowed to equal stkend BurnZeZ → So crap that expects stkptr to be pointing to an available Blk ends up dereferencing past the end of the array BurnZeZ → term% echo `{seq 1 100} f | dc BurnZeZ → dc 628283: suicide: sys: trap: fault read addr=0xffffe0000040a618 pc=0x204b1c
--- a/sys/src/cmd/dc.c
+++ b/sys/src/cmd/dc.c
@@ -1218,7 +1218,7 @@
strptr = salloc(0);
divxyz = salloc(0);
stkbeg = stkptr = &stack[0];
- stkend = &stack[STKSZ];
+ stkend = &stack[STKSZ-1];
stkerr = 0;
readptr = &readstk[0];
k=0;