• Arun Kuruvila's avatar
    Bug#20318154 : NEGATIVE ARRAY INDEX WRITE V2 · eb79ead4
    Arun Kuruvila authored
    Description:- There is a possibility of negative array index
    write associated with the function "terminal_writec()". This
    is due to the assumption that there is a possibility of
    getting -1 return value from the function call
    "ct_visual_char()".
    
    Analysis:- The function "terminal_writec()" is called only
    from "em_delete_or_list()" and "vi_list_or_eof()" and both
    these functions deal with the "^D" (ctrl+D) signal. So the
    "size_t len" and "Char c" passed to "ct_visual_char()" (when
    called from "terminal_writec()") is always 8 (macro
    VISUAL_WIDTH_MAX is passed whose value is 8) and 4 (ASCII
    value for "^D"/"ctrl+D") respectively.
    Since the value of "c" is 4, "ct_chr_class()" returns -1
    (macro CHTYPE_ASCIICTL is associated with -1 value). And
    since value of "len" is 8, "ct_visual_char()" will always
    return 2 when it is called from "terminal_writec()".
    So there is no possible case so that we encounter a negative
    array index write in "terminal_writec()". But since there is
    a rare posibility of using "terminal_writec()" in future
    enhancements, it is good handle the error case as well.
    
    Fix:- A condition is added in "terminal_writec()" to check
    whether "ct_visual_char()" is returning -1 or not. If the
    return value is -1, then value 0 is returned to its calling
    function "em_delete_or_list()" or "vi_list_or_eof()", which
    in turn will return CC_ERROR.
    
    NOTE:- No testcase is added since currently there is no
    possible scenario to encounter this error case.
    eb79ead4
vi.c 24.8 KB