From cde4a505cf546fd9a0cf7d3d6e21336347665054 Mon Sep 17 00:00:00 2001 From: Calvin Rose Date: Tue, 30 Mar 2021 21:14:42 -0500 Subject: [PATCH 1/3] Fix #673 - check typed array index bounds as well as buffer count. --- src/core/net.c | 2 +- src/core/pp.c | 2 +- src/core/typedarray.c | 13 ++++++++++--- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/core/net.c b/src/core/net.c index da972fcc..c8c5446d 100644 --- a/src/core/net.c +++ b/src/core/net.c @@ -445,7 +445,7 @@ static Janet cfun_net_shutdown(int32_t argc, Janet *argv) { janet_arity(argc, 1, 2); JanetStream *stream = janet_getabstract(argv, 0, &janet_stream_type); janet_stream_flags(stream, JANET_STREAM_SOCKET); - int shutdown_type = SHUT_RDWR; + int shutdown_type = JANET_SHUTDOWN_RW; if (argc == 2) { const uint8_t *kw = janet_getkeyword(argv, 1); if (0 == janet_cstrcmp(kw, "rw")) { diff --git a/src/core/pp.c b/src/core/pp.c index b3488c0c..252543e7 100644 --- a/src/core/pp.c +++ b/src/core/pp.c @@ -617,7 +617,7 @@ static void janet_pretty_one(struct pretty *S, Janet x, int is_dict_value) { if (mincap >= INT32_MAX / 2) { S->keysort_capacity = INT32_MAX; } else { - S->keysort_capacity = mincap * 2; + S->keysort_capacity = (int32_t) (mincap * 2); } S->keysort_buffer = janet_srealloc(S->keysort_buffer, sizeof(int32_t) * S->keysort_capacity); if (NULL == S->keysort_buffer) { diff --git a/src/core/typedarray.c b/src/core/typedarray.c index 649e3397..1c8dd04e 100644 --- a/src/core/typedarray.c +++ b/src/core/typedarray.c @@ -498,16 +498,23 @@ static Janet cfun_typed_array_copy_bytes(int32_t argc, Janet *argv) { size_t index_src = janet_getsize(argv, 1); JanetTArrayView *dst = janet_getabstract(argv, 2, &janet_ta_view_type); size_t index_dst = janet_getsize(argv, 3); + if (index_src > src->size || index_dst > dst->size) { + janet_panic("invalid buffer index"); + } size_t count = (argc == 5) ? janet_getsize(argv, 4) : 1; + if (count > dst->size || count > src->size) { + janet_panic("typed array copy out of bounds"); + } size_t src_atom_size = ta_type_sizes[src->type]; size_t dst_atom_size = ta_type_sizes[dst->type]; size_t step_src = src->stride * src_atom_size; size_t step_dst = dst->stride * dst_atom_size; size_t pos_src = (src->as.u8 - src->buffer->data) + (index_src * step_src); size_t pos_dst = (dst->as.u8 - dst->buffer->data) + (index_dst * step_dst); - uint8_t *ps = src->buffer->data + pos_src, * pd = dst->buffer->data + pos_dst; - if ((pos_dst + (count - 1)*step_dst + src_atom_size <= dst->buffer->size) && - (pos_src + (count - 1)*step_src + src_atom_size <= src->buffer->size)) { + uint8_t *ps = src->buffer->data + pos_src; + uint8_t *pd = dst->buffer->data + pos_dst; + if ((pos_dst + (count - 1) * step_dst + src_atom_size <= dst->buffer->size) && + (pos_src + (count - 1) * step_src + src_atom_size <= src->buffer->size)) { for (size_t i = 0; i < count; i++) { memmove(pd, ps, src_atom_size); pd += step_dst; From c258bee54fae50fbf2432990dfe2a4f801af7bb8 Mon Sep 17 00:00:00 2001 From: John Gabriele Date: Wed, 31 Mar 2021 21:27:03 -0400 Subject: [PATCH 2/3] Add note about sponsorship to README --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 0bed6ae6..79ee0419 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,9 @@ to run script files. This client program is separate from the core runtime, so Janet can be embedded in other programs. Try Janet in your browser at [https://janet-lang.org](https://janet-lang.org). +If you'd like to financially support the ongoing development of Janet, consider +[sponsoring its primary author through github](https://github.com/sponsors/bakpakin). +
## Use Cases From da06e6c6e31da337e70edf59baeabf1d7db36280 Mon Sep 17 00:00:00 2001 From: John Gabriele Date: Wed, 31 Mar 2021 21:40:30 -0400 Subject: [PATCH 3/3] Update README.md Co-authored-by: Michael Camilleri --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 79ee0419..961c1d2f 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Janet can be embedded in other programs. Try Janet in your browser at [https://janet-lang.org](https://janet-lang.org). If you'd like to financially support the ongoing development of Janet, consider -[sponsoring its primary author through github](https://github.com/sponsors/bakpakin). +[sponsoring its primary author](https://github.com/sponsors/bakpakin) through GitHub.