From dcs@newsguy.com  Fri Jan 22 23:46:17 1999
Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA27952
          for <FreeBSD-gnats-submit@freebsd.org>; Fri, 22 Jan 1999 23:46:16 -0800 (PST)
          (envelope-from dcs@newsguy.com)
Received: from daniel.sobral by peach.ocn.ne.jp (8.9.1a/OCN) id QAA02376; Sat, 23 Jan 1999 16:46:04 +0900 (JST)
Received: (from root@localhost)
	by daniel.sobral (8.9.1/8.9.1) id QAA01516;
	Sat, 23 Jan 1999 16:42:59 +0900 (JST)
	(envelope-from root)
Message-Id: <199901230742.QAA01516@daniel.sobral>
Date: Sat, 23 Jan 1999 16:42:59 +0900 (JST)
From: dcs@newsguy.com
Reply-To: dcs@newsguy.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: ficl type problem
X-Send-Pr-Version: 3.2

>Number:         9630
>Category:       bin
>Synopsis:       FICL copy a string to a buffer possibly too small
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 22 23:50:01 PST 1999
>Closed-Date:    Sat Jan 23 21:59:17 PST 1999
>Last-Modified:  Sat Jan 23 21:59:29 PST 1999
>Originator:     Daniel C. Sobral
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	Current as of Jan 23.

>Description:

	FICL's TYPE copies the counted string to HERE, as abial has
remarked. Answering to abial's question, this is NOT garanteed to have
enough space.

>How-To-Repeat:

	Not sure. Possibly "here 50 chars - unused 50 + type". :-)

>Fix:

	We have dynamic memory. Even before memory-alloc got in, we
already had dynamic memory. Use it, then! (ficlMalloc is sysdep, so I
suppose that's why it was not used for TYPE; ficl is probably designed
to work without a working ficlFree).

	Apply the following fix:


--- src/sys/boot/ficl/words.c	1999/01/23 07:27:34	1.9
+++ src/sys/boot/ficl/words.c	1999/01/23 07:34:09
@@ -2781,26 +2781,22 @@
 {
     UNS32 count = stackPopUNS32(pVM->pStack);
     char *cp    = stackPopPtr(pVM->pStack);
+    char *pDest = (char *)ficlMalloc(count);
 
     /* 
     ** Since we don't have an output primitive for a counted string
     ** (oops), make sure the string is null terminated. If not, copy
     ** and terminate it.
     */
-    /* XXX Uses free space on top of dictionary. Is it guaranteed
-     * XXX to always fit? (abial)
-     */
-    if (cp[count] != '\0')
-    {
-        char *pDest = (char *)ficlGetDict()->here;
-        if (cp != pDest)
-            strncpy(pDest, cp, count);
+    if (!pDest)
+	vmThrowErr(pVM, "Error: out of memory");
 
-        pDest[count] = '\0';
-        cp = pDest;
-    }
+    strncpy(pDest, cp, count);
+    pDest[count] = '\0';
 
     vmTextOut(pVM, cp, 0);
+
+    ficlFree(pDest);
     return;
 }
 

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: fenner 
Responsible-Changed-When: Sat Jan 23 00:41:06 PST 1999 
Responsible-Changed-Why:  
Fixing misfiled PR. 
State-Changed-From-To: open->closed 
State-Changed-By: msmith 
State-Changed-When: Sat Jan 23 21:59:17 PST 1999 
State-Changed-Why:  
Committed 
>Unformatted:
