ATRONIX: by Shixin Zeng - Pass correct length to Deline_*

Oldes · Oldes · commit a0b5e3533633 · 2017-11-03T10:45:07.000+01:00
The length of the VAL_SERIES(value) has been set correctly by
Append_UTF8, and it could be smaller than "len", because UTF8 is a
multi-byte encoding, thus passing "len" to Deline_Uni could cause
out-of-bound memory access.

Fixes CC#2169

The following code

    REBOL[]
    t: &lt;ēee&gt;

causes:

==13053==ERROR: AddressSanitizer: use-after-poison on address 0x61d00001a5f8 at pc 0x000000853d50 bp 0x7ffd2a31a1b0 sp 0x7ffd2a31a1a8
WRITE of size 2 at 0x61d00001a5f8 thread T0
    0 0x853d4f in Deline_Uni /home/zsx/stuffs/work/r3.git/make/../src/core/s-ops.c:426:2
    1 0x7064d4 in Scan_Any /home/zsx/stuffs/work/r3.git/make/../src/core/l-types.c:846:7
...
diff --git a/src/core/l-types.c b/src/core/l-types.c
@@ -835,13 +835,11 @@ bad_hex:	Trap0(RE_INVALID_CHARS);
 
 	VAL_SET(value, type);
 	VAL_SERIES(value) = Append_UTF8(0, cp, len);
-	VAL_INDEX(value) = 0;
-	VAL_TAIL(value) = len;
 
 	if (VAL_BYTE_SIZE(value)) {
-		n = Deline_Bytes(VAL_BIN(value), len);
+		n = Deline_Bytes(VAL_BIN(value), VAL_LEN(value));
 	} else {
-		n = Deline_Uni(VAL_UNI(value), len);
+		n = Deline_Uni(VAL_UNI(value), VAL_LEN(value));
 	}
 	VAL_TAIL(value) = n;
 
