emacs: fix crash due to read before start of buffer

It's amazing what can happen when you compile ksh using standard malloc (i.e. with AST vmalloc disabled) on OpenBSD. Its security hardening provokes crashes that reveal decades-old unsolved bugs. This one is an attempt to access one byte before the beginning of the command line buffer when the cursor is at the beginning of it. On this system configuration, it provoked an instant crash whenever you moved the cursor back to the beginning of the command line, e.g. with ^A or the cursor keys. src/cmd/ksh93/edit/emacs.c: draw(): - Check that the cursor is actually past the first position of the command line buffer before trying to read the position immediately before it. If not, zero the value.
2025-03-09 15:50:02 +00:00 · 2021-02-20 21:09:01 +00:00 · 2021-02-20 21:09:01 +00:00 · 9ccb9572f3
commit 9ccb9572f3
parent 500757d78b
1 changed files with 4 additions and 1 deletions
--- a/src/cmd/ksh93/edit/emacs.c
+++ b/src/cmd/ksh93/edit/emacs.c
@ -1445,7 +1445,10 @@ static void draw(register Emacs_t *ep,Draw_t option)
 	*****************************************/
 	

-	i = *(logcursor-1);	/* last character inserted */
+	if(logcursor > sptr)
+		i = *(logcursor-1);	/* last character inserted */
+	else
+		i = 0;
 #if SHOPT_EDPREDICT
 	if(option==FINAL)
 	{