commit fff818fe878ca5edfbac85b15e77ada2acb8ea0f
author Russ Cox <rsc@swtch.com> Mon Dec 01 20:15:52 2014 -0500
committer Russ Cox <rsc@swtch.com> Tue Dec 02 01:18:40 2014 +0000
tree 1c528d7e620547fa26704577af3330188154ba46
parent d3a47e14e5ebf7a4d8ca8c9a3dfe748b93d3663a

libdraw, libframe, acme: fix, guard against inverted range in textsetselect

Credit to Roi Martin <jroi.martin@gmail.com> for noticing that
libdraw was being passed a negative string length and for finding the
sequence of keystrokes that make acme do it reproducibly.

Change-Id: If3f3d04a25c506175f740d3e887d5d83b5cd1bfe
Reviewed-on: https://plan9port-review.googlesource.com/1092
Reviewed-by: Russ Cox <rsc@swtch.com>

src/cmd/acme/text.c

diff --git a/src/cmd/acme/text.c b/src/cmd/acme/text.c
index c537d27..7634d92 100644
--- a/src/cmd/acme/text.c
+++ b/src/cmd/acme/text.c
@@ -819,8 +819,12 @@
 		nr = runestrlen(rp);
 		break;	/* fall through to normal insertion case */
 	case 0x1B:
-		if(t->eq0 != ~0)
-			textsetselect(t, t->eq0, t->q0);
+		if(t->eq0 != ~0) {
+			if(t->eq0 <= t->q0)
+				textsetselect(t, t->eq0, t->q0);
+			else
+				textsetselect(t, t->q0, t->eq0);
+		}
 		if(t->ncache > 0)
 			typecommit(t);
 		t->iq1 = t->q0;
@@ -1173,7 +1177,7 @@
 textsetselect(Text *t, uint q0, uint q1)
 {
 	int p0, p1, ticked;
-
+	
 	/* t->fr.p0 and t->fr.p1 are always right; t->q0 and t->q1 may be off */
 	t->q0 = q0;
 	t->q1 = q1;
@@ -1198,6 +1202,8 @@
 			frtick(&t->fr, frptofchar(&t->fr, p0), ticked);
 		return;
 	}
+	if(p0 > p1)
+		sysfatal("acme: textsetselect p0=%d p1=%d q0=%ud q1=%ud t->org=%d nchars=%d", p0, p1, q0, q1, (int)t->org, (int)t->fr.nchars);
 	/* screen disagrees with desired selection */
 	if(t->fr.p1<=p0 || p1<=t->fr.p0 || p0==p1 || t->fr.p1==t->fr.p0){
 		/* no overlap or too easy to bother trying */

src/libdraw/string.c

diff --git a/src/libdraw/string.c b/src/libdraw/string.c
index 4e876c1..392a7e8 100644
--- a/src/libdraw/string.c
+++ b/src/libdraw/string.c
@@ -67,6 +67,9 @@
 	Font *def;
 	Subfont *sf;
 
+	if(len < 0)
+		sysfatal("libdraw: _string len=%d", len);
+
 	if(s == nil){
 		s = "";
 		sptr = nil;

src/libframe/frdraw.c

diff --git a/src/libframe/frdraw.c b/src/libframe/frdraw.c
index 2a3a95e..05a45fe 100644
--- a/src/libframe/frdraw.c
+++ b/src/libframe/frdraw.c
@@ -62,6 +62,9 @@
 	Point qt;
 	uint p;
 	char *ptr;
+	
+	if(p0 > p1)
+		sysfatal("libframe: frdrawsel0 p0=%lud > p1=%lud", p0, p1);
 
 	p = 0;
 	b = f->box;