From da5c0bada7be9dd82ca1f63e621670143597d3bb Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Fri, 27 Jul 2018 09:31:28 +0200 Subject: [PATCH] dc: fix off by one in stack overflow check (thanks BurnZeZ) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit BurnZeZ → Found a bug in dc(1) BurnZeZ → Everything breaks when you fill the stack BurnZeZ → You have stkptr which crap expects to point to an available member in Blk *stack[STKSZ]; BurnZeZ → stkend = &stack[STKSZ]; BurnZeZ → stkptr is allowed to equal stkend BurnZeZ → So crap that expects stkptr to be pointing to an available Blk ends up dereferencing past the end of the array BurnZeZ → term% echo `{seq 1 100} f | dc BurnZeZ → dc 628283: suicide: sys: trap: fault read addr=0xffffe0000040a618 pc=0x204b1c --- sys/src/cmd/dc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/src/cmd/dc.c b/sys/src/cmd/dc.c index c121b13d8..abc7060fd 100644 --- a/sys/src/cmd/dc.c +++ b/sys/src/cmd/dc.c @@ -1218,7 +1218,7 @@ init(int argc, char *argv[]) strptr = salloc(0); divxyz = salloc(0); stkbeg = stkptr = &stack[0]; - stkend = &stack[STKSZ]; + stkend = &stack[STKSZ-1]; stkerr = 0; readptr = &readstk[0]; k=0; -- 2.44.0