dc: fix off by one in stack overflow check (thanks BurnZeZ)

BurnZeZ → Found a bug in dc(1)
BurnZeZ → Everything breaks when you fill the stack
BurnZeZ → You have stkptr which crap expects to point to an available member in Blk *stack[STKSZ];
BurnZeZ → stkend = &stack[STKSZ];
BurnZeZ → stkptr is allowed to equal stkend
BurnZeZ → So crap that expects stkptr to be pointing to an available Blk ends up dereferencing past the end of the array
BurnZeZ → term% echo `{seq 1 100} f | dc
BurnZeZ → dc 628283: suicide: sys: trap: fault read addr=0xffffe0000040a618 pc=0x204b1c

diff --git a/sys/src/cmd/dc.c b/sys/src/cmd/dc.c
index c121b13d8af0da61ebde17644a3a8dc4b8dc8112..abc7060fd4ecf81a78ea274f2cbb0ab6bc2e0676 100644 (file)
--- a/sys/src/cmd/dc.c
+++ b/sys/src/cmd/dc.c
@@ -1218,7 +1218,7 @@ init(int argc, char *argv[])
        strptr = salloc(0);
        divxyz = salloc(0);
        stkbeg = stkptr = &stack[0];
-       stkend = &stack[STKSZ];
+       stkend = &stack[STKSZ-1];
        stkerr = 0;
        readptr = &readstk[0];
        k=0;