rs: Fix some pointer arith UB.

If the next column was blank, then the length of the following entry was computed as the end of the following entry minus a global variable "blank" which is not in the same string or allocation. Instead, save the start value of 'p' explicitly instead of abusing '*ep'. Possibly we should just increment p before saving it in sp in the 'blank' case, but at worst that would just mean maxlen might be one char too large which should be harmless. Reviewed by: brooks Differential Revision: https://reviews.freebsd.org/D36832
2024-10-14 20:37:06 +00:00 · 2022-10-05 16:48:05 -07:00 · 2022-10-05 16:48:05 -07:00 · ba86cffb28
parent e5f2d5b35e
commit ba86cffb28
1 changed files with 6 additions and 3 deletions
--- a/usr.bin/rs/rs.c
+++ b/usr.bin/rs/rs.c
@ -114,10 +114,11 @@ main(int argc, char *argv[])
 static void
 getfile(void)
 {
-	char *p;
+	char *p, *sp;
 	char *endp;
 	char **ep;
 	int c;
+	int len;
 	int multisep = (flags & ONEISEPONLY ? 0 : 1);
 	int nullpad = flags & NULLPAD;
 	char **padto;
@ -159,11 +160,13 @@ getfile(void)
 				*ep = blank;
 			else			/* store column entry */
 				*ep = p;
+			sp = p;
 			while (p < endp && *p != isep)
 				p++;		/* find end of entry */
 			*p = '\0';		/* mark end of entry */
-			if (maxlen < p - *ep)	/* update maxlen */
-				maxlen = p - *ep;
+			len = p - sp;
+			if (maxlen < len)	/* update maxlen */
+				maxlen = len;
 			INCR(ep);		/* prepare for next entry */
 		}
 		irows++;			/* update row count */