[syslinux:firmware] com32: Fix bugs on cmd_reverse_search ( Triple fault dimension)

syslinux-bot for Raphael S.Carvalho raphael.scarv at gmail.com
Mon Sep 30 07:54:04 PDT 2013 

Commit-ID:  f8d12e155ba38e9887bba4389a3d386978722044
Gitweb:     http://www.syslinux.org/commit/f8d12e155ba38e9887bba4389a3d386978722044
Author:     Raphael S.Carvalho <raphael.scarv at gmail.com>
AuthorDate: Tue, 17 Sep 2013 16:48:58 -0300
Committer:  Matt Fleming <matt.fleming at intel.com>
CommitDate: Mon, 30 Sep 2013 14:31:38 +0100

com32: Fix bugs on cmd_reverse_search (Triple fault dimension)

cmd_reverse_search has a bug that the variable cursor is updated even if a command
wasn't found. If this happens, and the next key falls into the default case,
memmove's size parameter would be a negative number.

This bug can be reproduced by doing the following:
On cmd_reverse_search (ctrl-r), type multiple keys at the same time.
'Enjoy' the triple fault and a screen of random colors.

There is also a small bug that turns the task of using (ctrl-r) on the first command
impossible. Previously, this command was discarded.

Signed-off-by: Raphael S.Carvalho <raphael.scarv at gmail.com>
Signed-off-by: Matt Fleming <matt.fleming at intel.com>

---
 com32/elflink/ldlinux/cli.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/com32/elflink/ldlinux/cli.c b/com32/elflink/ldlinux/cli.c
index 7c4f14c..a50124c 100644
--- a/com32/elflink/ldlinux/cli.c
+++ b/com32/elflink/ldlinux/cli.c
@@ -89,10 +89,14 @@ static const char * cmd_reverse_search(int *cursor, clock_t *kbd_to,
 	    break;
 	}
 
-	while (!list_is_last(&last_found->list, &cli_history_head)) {
+	while (last_found) {
 	    p = strstr(last_found->command, buf);
 	    if (p)
 	        break;
+
+	    if (list_is_last(&last_found->list, &cli_history_head))
+		break;
+
 	    last_found = list_entry(last_found->list.next, typeof(*last_found), list);
 	}
 
@@ -391,7 +395,7 @@ const char *edit_cmdline(const char *input, int top /*, int width */ ,
 		    len = strlen(cmdline);
 	        } else {
 	            cmdline[0] = '\0';
-		    len = 0;
+		    cursor = len = 0;
 	        }
 	        redraw = 1;
 	    }
@@ -441,6 +445,9 @@ const char *edit_cmdline(const char *input, int top /*, int width */ ,
 		    }
 		    prev_len++;
 		} else {
+		    if (cursor > len)
+			return NULL;
+
 		    memmove(cmdline + cursor + 1, cmdline + cursor,
 			    len - cursor + 1);
 		    cmdline[cursor++] = key;

More information about the Syslinux-commits mailing list