fix(subprocess): NUL-terminate cbm_build_win_cmdline buf on overflow (post-review, follow-up to #881)#889
Conversation
|
This is great, @Flipper1994 — the fix is spot on: One thing before we merge, to match our reproduce-first convention: this still needs a test that is RED on current TEST(win_cmdline_overflow_leaves_empty_string) {
char buf[8];
const char *const argv[] = {"averylongprogramname", "x", NULL};
ASSERT_FALSE(cbm_build_win_cmdline(buf, sizeof(buf), argv)); /* overflows cap */
ASSERT_EQ(buf[0], '\0'); /* RED on unfixed: buf[0] holds a partial byte, not NUL */
PASS();
}On the pre-fix code |
Follow-up to DeusData#881. cbm_build_win_cmdline() returned false from inside its loop on buffer overflow without NUL-terminating buf, although its header contract states the buffer holds a string. No live bug — both call sites (cbm_run_win and the UI http_server index spawn) ignore buf when the function returns false — but a future caller trusting the documented contract could read an unterminated (possibly uninitialized) buffer. Set buf[0]='\0' on the overflow path so it is always a valid string, and correct the header comment to match. Reproduce-first: the new win_cmdline_overflow_leaves_empty_string test feeds an argv that overflows a small cap and asserts buf[0]=='\0'. It is RED on the pre-fix code (buf[0] holds the first quoted byte '"' = 0x22) and GREEN with the fix. Also tidies two review nits in the same files: - fix the stale cbm_cmdline_put comment (it returns pos UNCHANGED on overflow; the overflow is signalled via *ovf, not an advancing pos), - bounds-guard the reference CommandLineToArgvW parser in the round-trip test. Refs: DeusData#881 Signed-off-by: Flipper <jacobphilipp@ymail.com>
10d5268 to
a57d8e3
Compare
|
Done — added |
|
Merged ( |
Summary
Small post-review tidy — follow-up to #881 (already merged). Pure polish: no functional change for any real input.
The one substantive fix
cbm_build_win_cmdline()(src/foundation/subprocess.c) returnsfalsefrom inside its loop on buffer overflow without NUL-terminatingbuf, although its header contract insubprocess.hsays the buffer holds a string. There is no live bug — both call sites (cbm_run_winand the UIhttp_serverindex spawn) ignorebufwhen the function returnsfalse— but a future caller trusting the documented contract could read an unterminated (possibly uninitialized) buffer. This setsbuf[0] = '\0'on the overflow path sobufis always a valid string, and corrects the header comment to match.Also (same files, same review pass)
cbm_cmdline_putcomment — it returnsposunchanged on overflow; the overflow is signalled via*ovf, not via an advancingpos.CommandLineToArgvWparser in the round-trip test (tests/test_subprocess.c) so a hypothetical future over-long test argument fails safely instead of overflowing its 256-byte row.These came out of an adversarial self-review of #881 after it had already merged; landing them per the boy-scout rule rather than leaving a contract inaccuracy in a public function.
Refs #881.