Syslinux - Sep 2013 - [PATCH 3/4 v2] com32: Fix bugs on cmd_reverse_search (Triple fault dimension)

cmd_reverse_search has a bug that the variable cursor is updated even if a
command
wasn't found. If this happens, and the next key falls into the default case,
memmove's size parameter would be a negative number.

This bug can be reproduced by doing the following:
On cmd_reverse_search (ctrl-r), type multiple keys at the same time.
'Enjoy' the triple fault and a screen of random colors.

There is also a small bug that turns the task of using (ctrl-r) on the first
command
impossible. Previously, this command was discarded.

Signed-off-by: Raphael S.Carvalho <raphael.scarv at gmail.com>
---
 com32/elflink/ldlinux/cli.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/com32/elflink/ldlinux/cli.c b/com32/elflink/ldlinux/cli.c
index 7c4f14c..a50124c 100644
--- a/com32/elflink/ldlinux/cli.c
+++ b/com32/elflink/ldlinux/cli.c
@@ -89,10 +89,14 @@ static const char * cmd_reverse_search(int *cursor, clock_t
*kbd_to,
 	    break;
 	}

-	while (!list_is_last(&last_found->list, &cli_history_head)) {
+	while (last_found) {
 	    p = strstr(last_found->command, buf);
 	    if (p)
 	        break;
+
+	    if (list_is_last(&last_found->list, &cli_history_head))
+		break;
+
 	    last_found = list_entry(last_found->list.next, typeof(*last_found),
list);
 	}

@@ -391,7 +395,7 @@ const char *edit_cmdline(const char *input, int top /*, int
width */ ,
 		    len = strlen(cmdline);
 	        } else {
 	            cmdline[0] = '\0';
-		    len = 0;
+		    cursor = len = 0;
 	        }
 	        redraw = 1;
 	    }
@@ -441,6 +445,9 @@ const char *edit_cmdline(const char *input, int top /*, int
width */ ,
 		    }
 		    prev_len++;
 		} else {
+		    if (cursor > len)
+			return NULL;
+
 		    memmove(cmdline + cursor + 1, cmdline + cursor,
 			    len - cursor + 1);
 		    cmdline[cursor++] = key;
--
1.7.2.5

On Tue, 17 Sep, at 04:48:58PM, Raphael S.Carvalho wrote:
> cmd_reverse_search has a bug that the variable cursor is updated even if a
command
> wasn't found. If this happens, and the next key falls into the default
case,
> memmove's size parameter would be a negative number.
> 
> This bug can be reproduced by doing the following:
> On cmd_reverse_search (ctrl-r), type multiple keys at the same time.
> 'Enjoy' the triple fault and a screen of random colors.
> 
> There is also a small bug that turns the task of using (ctrl-r) on the
first command
> impossible. Previously, this command was discarded.
> 
> Signed-off-by: Raphael S.Carvalho <raphael.scarv at gmail.com>
> ---
>  com32/elflink/ldlinux/cli.c |   11 +++++++++--
>  1 files changed, 9 insertions(+), 2 deletions(-)
Applied, thanks.

-- 
Matt Fleming, Intel Open Source Technology Center