Address #301

Incorrect bounds checking and offset calculation in buffer/blit.
2024-11-28 11:09:54 +00:00 · 2020-03-08 20:43:06 -05:00 · 2020-03-08 20:43:06 -05:00 · a3d4ecddba
commit a3d4ecddba
parent 3d3d314fb7
4 changed files with 19 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -17,7 +17,8 @@ All notable changes to this project will be documented in this file.
 - Correct arity for `marshal`
 - Add `flush` and `eflush`
 - Add `prompt` and `return` on top of signal for user friendly delimited continuations.
- Fix possible segfault with malformed pegs.
+- Fix bug in buffer/blit when using the offset-src argument.
+- Fix segfault with malformed pegs.

 ## 1.7.0 - 2020-02-01
 - Remove `file/fileno` and `file/fdopen`.
--- a/src/core/buffer.c
+++ b/src/core/buffer.c
@ -334,13 +334,15 @@ static Janet cfun_buffer_blit(int32_t argc, Janet *argv) {
    } else {
        length_src = src.len - offset_src;
    }
-    int64_t last = ((int64_t) offset_dest - offset_src) + length_src;
+    int64_t last = (int64_t) offset_dest + length_src;
    if (last > INT32_MAX)
        janet_panic("buffer blit out of range");
-    janet_buffer_ensure(dest, (int32_t) last, 2);
-    if (last > dest->count) dest->count = (int32_t) last;
+    int32_t last32 = (int32_t) last;
+    janet_buffer_ensure(dest, last32, 2);
+    if (last32 > dest->count) dest->count = last32;
    if (length_src) {
        if (same_buf) {
+            /* janet_buffer_ensure may have invalidated src */
            src.bytes = dest->data;
            memmove(dest->data + offset_dest, src.bytes + offset_src, length_src);
        } else {
@ -438,7 +440,7 @@ static const JanetReg buffer_cfuns[] = {
    },
    {
        "buffer/blit", cfun_buffer_blit,
-        JDOC("(buffer/blit dest src & opt dest-start src-start src-end)\n\n"
+        JDOC("(buffer/blit dest src &opt dest-start src-start src-end)\n\n"
             "Insert the contents of src into dest. Can optionally take indices that "
             "indicate which part of src to copy into which part of dest. Indices can be "
             "negative to index from the end of src or dest. Returns dest.")
--- a/src/mainclient/shell.c
+++ b/src/mainclient/shell.c
@ -623,7 +623,7 @@ static int line() {
                if (gbl_len == 0) {   /* quit on empty line */
                    clearlines();
                    return -1;
-                } 
+                }
                kdelete(1);
                break;
            case 5:     /* ctrl-e */
--- a/test/suite8.janet
+++ b/test/suite8.janet
@ -126,4 +126,14 @@
 (assert (= false (match {:a 1 :b 2 :c 3} {:a a :b _ :c _ :d _} :no {:a _ :b _ :c _} false :no)) "match wildcard 6")
 (assert (= nil (match {:a 1 :b 2 :c 3} {:a a :b _ :c _ :d _} :no {:a _ :b _ :c _} nil :no)) "match wildcard 7")

+# Regression #301
+(def b (buffer/new-filled 128 0x78))
+(assert (= 38 (length (buffer/blit @"" b -1 90))) "buffer/blit 1")
+
+(def a @"abcdefghijklm")
+(assert (deep= @"abcde" (buffer/blit @"" a -1 0 5)) "buffer/blit 2")
+(assert (deep= @"bcde" (buffer/blit @"" a -1 1 5)) "buffer/blit 3")
+(assert (deep= @"cde" (buffer/blit @"" a -1 2 5)) "buffer/blit 4")
+(assert (deep= @"de" (buffer/blit @"" a -1 3 5)) "buffer/blit 5")
+
 (end-suite)