blob: 9412980e916e69c3512bb0b69b66d229123756a2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
commit 5ef19e08bbeff74096a1944ec8ba591cdab8cc55
Author: Andrew Hunter <andrew@logicalshift.co.uk>
Date: Sun Nov 13 21:20:23 2011 +0000
Restored a return statement that got deleted way back in changeset 1cd73ed without anybody (well, me) noticing.
The effect of this missing return statement was to make aread callbacks that return true continue as if they had returned false and randomly crash after they try to write to the (now freed) buffer.
Amazingly, this hasn't been reported up until now. I suspect that there are few or no cases where aread callbacks return a value other than zero.
Also added a paranoid buffer check, which is probably unnecessary but looks like good practice in any case.
diff --git a/src/interp.c b/src/interp.c
index 60b3e13..a5fa8fe 100644
--- a/src/interp.c
+++ b/src/interp.c
@@ -1057,6 +1057,7 @@ static void zcode_op_aread_5678(ZDWord* pc,
{
mem[1] = 0;
free(buf);
+ return;
}
}
@@ -1151,7 +1152,7 @@ static void zcode_op_aread_5678(ZDWord* pc,
int x;
mem[1] = 0;
- for (x=0; buf[x] != 0; x++)
+ for (x=0; buf[x] != 0 && x < bufLen; x++)
{
mem[1]++;
buf[x] = unicode_to_lower(buf[x]);
|
