Segmentation fault when searching for empty regex
--------------------------------------------------
Searching for a regex like 'm*', which also includes zero 'm's, an empty
expression is found indefinitely in 'highlight_searchtext(...)', which
eventually results in an overflow of 'pt1'. The patch below fixes this
particular problem, but I would guess there are many other regular
expressions that would lead to an overflow of 'pt1', so its size
should definitely be checked before every 'strcpy(pt1,...)' and
the loop be aborted accordingly. (Or 'pt1' should be allocated
and enlarged dynamically.)
*** 14777,14782 ****
--- 14777,14784 ----
if (status != REG_NOMATCH) {
size = pmatch[0].rm_so;
+ if (size == 0) break; /* check for zero size -> infinite loop */
+
/* copy first part original text */
memcpy(pt1, pt, size);
pt1 += size;
***************
*** 14788,14795 ****
--- 14790,14799 ----
/* see also rsputs2(char* ) */
if (hidden)
+ /* need to check size of pt1 !!! */
strcpy(pt1,
"\001B\004style=\003color:black;background-color:#ffff66\003\002");
else
+ /* need to check size of pt1 !!! */
strcpy(pt1, "<B style=\"color:black;background-color:#ffff66\">");
pt1 += strlen(pt1);
***************
*** 14802,14814 ****
--- 14806,14821 ----
/* add coloring 2nd part */
if (hidden)
+ /* need to check size of pt1 !!! */
strcpy(pt1, "\001/B\002");
else
+ /* need to check size of pt1 !!! */
strcpy(pt1, "</B>");
pt1 += strlen(pt1);
}
} while (status != REG_NOMATCH);
+ /* need to check size of pt1 !!! */
strcpy(pt1, pt);
} |