[src/netbsd-8]: src/external/bsd/nvi/dist/vi Pull up following revision(s) (r...

[martin <martin%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a924d78d7212
branches:  netbsd-8
changeset: 935653:a924d78d7212
user:      martin <martin%NetBSD.org@localhost>
date:      Tue Jul 07 19:55:23 2020 +0000

description:
Pull up following revision(s) (requested by rin in ticket #1569):

        external/bsd/nvi/dist/vi/v_txt.c: revision 1.7

PR bin/55468

Fix crash due to out-of-bounds access with Ctrl-W.
PR is only for nottywerase, but also fix ttywerase case, taken from

OpenBSD via nvi2:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/vi/vi/v_txt.c#rev1.23
https://github.com/lichray/nvi2/commit/5d5365d3585f45651f9b4a366391798a91393337

Also, comment there is no worry for altwerase specific code, which
seems suspicious at a glance.

Reported by Azuma OKAMOTO.

Thanks for detailed explanation how to reproduce the problem!

diffstat:

 external/bsd/nvi/dist/vi/v_txt.c |  26 ++++++++++++--------------
 1 files changed, 12 insertions(+), 14 deletions(-)

diffs (61 lines):

diff -r 557fb0485caf -r a924d78d7212 external/bsd/nvi/dist/vi/v_txt.c
--- a/external/bsd/nvi/dist/vi/v_txt.c  Tue Jul 07 12:48:42 2020 +0000
+++ b/external/bsd/nvi/dist/vi/v_txt.c  Tue Jul 07 19:55:23 2020 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: v_txt.c,v 1.4 2014/01/26 21:43:45 christos Exp $ */
+/*     $NetBSD: v_txt.c,v 1.4.22.1 2020/07/07 19:55:23 martin Exp $ */
 /*-
  * Copyright (c) 1993, 1994
  *     The Regents of the University of California.  All rights reserved.
@@ -16,7 +16,7 @@
 static const char sccsid[] = "Id: v_txt.c,v 10.108 2003/07/18 21:27:42 skimo Exp  (Berkeley) Date: 2003/07/18 21:27:42 ";
 #endif /* not lint */
 #else
-__RCSID("$NetBSD: v_txt.c,v 1.4 2014/01/26 21:43:45 christos Exp $");
+__RCSID("$NetBSD: v_txt.c,v 1.4.22.1 2020/07/07 19:55:23 martin Exp $");
 #endif
 
 #include <sys/types.h>
@@ -1115,32 +1115,30 @@
                 */
                if (LF_ISSET(TXT_TTYWERASE))
                        while (tp->cno > max) {
-                               --tp->cno;
-                               ++tp->owrite;
-                               if (FL_ISSET(is_flags, IS_RUNNING))
-                                       tp->lb[tp->cno] = ' ';
                                if (ISBLANK((UCHAR_T)tp->lb[tp->cno - 1]))
                                        break;
-                       }
-               else {
-                       if (LF_ISSET(TXT_ALTWERASE)) {
                                --tp->cno;
                                ++tp->owrite;
                                if (FL_ISSET(is_flags, IS_RUNNING))
                                        tp->lb[tp->cno] = ' ';
-                               if (ISBLANK((UCHAR_T)tp->lb[tp->cno - 1]))
-                                       break;
+                       }
+               else {
+                       if (LF_ISSET(TXT_ALTWERASE)) {
+                               --tp->cno; /* No worry for out of bounds. */
+                               ++tp->owrite;
+                               if (FL_ISSET(is_flags, IS_RUNNING))
+                                       tp->lb[tp->cno] = ' ';
                        }
                        if (tp->cno > max)
                                tmp = inword((UCHAR_T)tp->lb[tp->cno - 1]);
                        while (tp->cno > max) {
+                               if (tmp != inword((UCHAR_T)tp->lb[tp->cno - 1])
+                                   || ISBLANK((UCHAR_T)tp->lb[tp->cno - 1]))
+                                       break;
                                --tp->cno;
                                ++tp->owrite;
                                if (FL_ISSET(is_flags, IS_RUNNING))
                                        tp->lb[tp->cno] = ' ';
-                               if (tmp != inword((UCHAR_T)tp->lb[tp->cno - 1])
-                                   || ISBLANK((UCHAR_T)tp->lb[tp->cno - 1]))
-                                       break;
                        }
                }