diff options
| author | Randy Palamar <randy@rnpnr.xyz> | 2025-12-16 10:56:01 -0700 |
|---|---|---|
| committer | Randy Palamar <randy@rnpnr.xyz> | 2025-12-16 11:19:28 -0700 |
| commit | 3aa3501aa6d93e96653eb8e8c3662f724d3090ce (patch) | |
| tree | c000bed1950463a1306880913182c8d90fb24187 /text-internal.h | |
| parent | 992804cb27993d5de8e6830a8ab9268045ce6892 (diff) | |
| download | vis-3aa3501aa6d93e96653eb8e8c3662f724d3090ce.tar.gz vis-3aa3501aa6d93e96653eb8e8c3662f724d3090ce.tar.xz | |
text-iterator: fix one byte over-read in codepoint iterator
Reported by @kyx0r here: https://github.com/kyx0r/nextvi/issues/189#issuecomment-3650406932
The crash is relatively hard to reproduce as it relies on there
being no padding after the end of the memory allocation. This can
only happen if the text size is an exact multiple of the system
page size. In the linked backtrace it->start = 0x7ffff0e00000 and
it->end = 0x7ffff7200000 (page size was likely 4K or 0x1000) so
it->end, which is one past the last byte of the text, was pointing
to an entirely different page. Dereferencing it can cause a
segfault. If it doesn't segfault it is still incorrect to read
beyond the end of the text even if it happens to work due to
padding.
The underlying text_iterator_byte_{next,prev}() functions were
already handling this correctly. The fix is to not throw away
their work.
Diffstat (limited to 'text-internal.h')
0 files changed, 0 insertions, 0 deletions