From 25acad3cbc9b56dd0f006e32c94d56824f1669db Mon Sep 17 00:00:00 2001
From: Neil <nyamatongwe@gmail.com>
Date: Tue, 7 Mar 2017 15:54:33 +1100
Subject: Avoid potential problems with memcmp reading past end of object.

---
 lexers/LexErrorList.cxx | 3 ++-
 src/Document.cxx        | 8 ++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/lexers/LexErrorList.cxx b/lexers/LexErrorList.cxx
index 6dc6b025e..7aaf9a5ad 100644
--- a/lexers/LexErrorList.cxx
+++ b/lexers/LexErrorList.cxx
@@ -106,7 +106,8 @@ static int RecogniseErrorListLine(const char *lineBuffer, Sci_PositionU lengthLi
 		// perl error message:
 		// <message> at <file> line <line>
 		return SCE_ERR_PERL;
-	} else if ((memcmp(lineBuffer, "   at ", 6) == 0) &&
+	} else if ((lengthLine >= 6) && 
+	           (memcmp(lineBuffer, "   at ", 6) == 0) &&
 	           strstr(lineBuffer, ":line ")) {
 		// A .NET traceback
 		return SCE_ERR_NET;
diff --git a/src/Document.cxx b/src/Document.cxx
index e7bb9c009..f302533dc 100644
--- a/src/Document.cxx
+++ b/src/Document.cxx
@@ -1887,7 +1887,7 @@ long Document::FindText(int minPos, int maxPos, const char *search,
 			}
 		} else if (SC_CP_UTF8 == dbcsCodePage) {
 			const size_t maxFoldingExpansion = 4;
-			std::vector<char> searchThing(lengthFind * UTF8MaxBytes * maxFoldingExpansion + 1);
+			std::vector<char> searchThing((lengthFind+1) * UTF8MaxBytes * maxFoldingExpansion + 1);
 			const int lenSearch = static_cast<int>(
 				pcf->Fold(&searchThing[0], searchThing.size(), search, lengthFind));
 			char bytes[UTF8MaxBytes + 1];
@@ -1914,6 +1914,8 @@ long Document::FindText(int minPos, int maxPos, const char *search,
 						break;
 					const int lenFlat = static_cast<int>(pcf->Fold(folded, sizeof(folded), bytes, widthChar));
 					folded[lenFlat] = 0;
+					// memcmp may examine lenFlat bytes in both arguments so assert it doesn't read past end of searchThing
+					assert(static_cast<size_t>(indexSearch + lenFlat) <= searchThing.size());
 					// Does folded match the buffer
 					characterMatches = 0 == memcmp(folded, &searchThing[0] + indexSearch, lenFlat);
 					if (!characterMatches)
@@ -1939,7 +1941,7 @@ long Document::FindText(int minPos, int maxPos, const char *search,
 		} else if (dbcsCodePage) {
 			const size_t maxBytesCharacter = 2;
 			const size_t maxFoldingExpansion = 4;
-			std::vector<char> searchThing(lengthFind * maxBytesCharacter * maxFoldingExpansion + 1);
+			std::vector<char> searchThing((lengthFind+1) * maxBytesCharacter * maxFoldingExpansion + 1);
 			const int lenSearch = static_cast<int>(
 				pcf->Fold(&searchThing[0], searchThing.size(), search, lengthFind));
 			while (forward ? (pos < endPos) : (pos >= endPos)) {
@@ -1959,6 +1961,8 @@ long Document::FindText(int minPos, int maxPos, const char *search,
 					char folded[maxBytesCharacter * maxFoldingExpansion + 1];
 					const int lenFlat = static_cast<int>(pcf->Fold(folded, sizeof(folded), bytes, widthChar));
 					folded[lenFlat] = 0;
+					// memcmp may examine lenFlat bytes in both arguments so assert it doesn't read past end of searchThing
+					assert(static_cast<size_t>(indexSearch + lenFlat) <= searchThing.size());
 					// Does folded match the buffer
 					characterMatches = 0 == memcmp(folded, &searchThing[0] + indexSearch, lenFlat);
 					indexDocument += widthChar;
-- 
cgit v1.2.3