Fix heap-buffer-overflow in keyword highlighting (#36)#116
Open
Nicolas0315 wants to merge 1 commit intoantirez:masterfrom
Open
Fix heap-buffer-overflow in keyword highlighting (#36)#116Nicolas0315 wants to merge 1 commit intoantirez:masterfrom
Nicolas0315 wants to merge 1 commit intoantirez:masterfrom
Conversation
editorUpdateSyntax() uses memcmp(p, keywords[j], klen) to match keywords against the current position in the rendered line, but does not check that at least klen bytes remain from p to the end of the line. When a short line ends with a prefix that partially matches a keyword, memcmp reads past the allocated buffer. Add a bounds check (klen <= row->rsize - i) before the memcmp call to ensure we only compare within the allocated line buffer. Verified with AddressSanitizer: the overflow no longer triggers. Fixes antirez#36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix a heap-buffer-overflow in
editorUpdateSyntax()triggered bymemcmpreading past the end of the rendered line buffer during keyword matching.Root Cause
The keyword matching loop uses
memcmp(p, keywords[j], klen)without checking that at leastklenbytes remain from the current positionpto the end of the line. When a short line ends with a prefix that partially matches a keyword (e.g. a line containing justintbeing compared against a 6-byte keyword),memcmpreads past the allocated buffer.Fix
Add a bounds check before the
memcmpcall:This ensures we only compare within the allocated line buffer. Short-circuit evaluation means
memcmpis never called when there aren't enough bytes remaining.Verification
Compiled with AddressSanitizer:
clang -fsanitize=address -O1 -g -o kilo kilo.c ./kilo kilo.c # No ASAN errorsFixes #36