sashakoshka/termui
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixes unsafe pointer madness.

Browse Source 
`func uiEvt(e termbox.Event) Event` used to change the type of termbox.Event to Event by
using some pointer-cast magic[1], which could cause an overflow if `termbox.Event` changes
its structure.
I'd rather just have `type Event termbox.Event` but that would break backwards compatibility.

Warning: A buffer overflow could cause a serious security issue but it is very unlikely that
anyone could exploit that (though not impossbible). You'd need to push a upstream update to
termbox, which would tweak termbox.Event's structure. Still, this issue should be fixed and
unsafe should never be used.

[1] it used to get the address of termbox.Event and just cast a Event pointer
This commit is contained in:
Matteo Kloiber 2015-04-15 13:35:12 +02:00
parent b3e1431d46
commit 821f8bfd95
2 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
events.go
View File

@ -9,7 +9,6 @@
package termui
import "github.com/nsf/termbox-go"
import "unsafe"
/***********************************termbox-go**************************************/
@ -133,7 +132,19 @@ const (
// convert termbox.Event to termui.Event
func uiEvt(e termbox.Event) Event {
return *(*Event)(unsafe.Pointer(&e))
event := Event{}
event.Type = EventType(e.Type)
event.Mod = Modifier(e.Mod)
event.Key = Key(e.Key)
event.Ch = e.Ch
event.Width = e.Width
event.Height = e.Height
event.Err = e.Err
event.MouseX = e.MouseX
event.MouseY = e.MouseY
event.N = e.N
return event
}
var evtChs = make([]chan Event, 0)

28
events_test.go Normal file
View File

@ -0,0 +1,28 @@
// Copyright 2015 Zack Guo <gizak@icloud.com>. All rights reserved.
// Use of this source code is governed by a MIT license that can
// be found in the LICENSE file.
//
// Portions of this file uses [termbox-go](https://github.com/nsf/termbox-go/blob/54b74d087b7c397c402d0e3b66d2ccb6eaf5c2b4/api_common.go)
// by [authors](https://github.com/nsf/termbox-go/blob/master/AUTHORS)
// under [license](https://github.com/nsf/termbox-go/blob/master/LICENSE)
package termui
import (
"errors"
"testing"
termbox "github.com/nsf/termbox-go"
"github.com/stretchr/testify/assert"
)
type boxEvent termbox.Event
func TestUiEvt(t *testing.T) {
err := errors.New("This is a mock error")
event := boxEvent{3, 5, 2, 'H', 200, 500, err, 50, 30, 2}
expetced := Event{3, 5, 2, 'H', 200, 500, err, 50, 30, 2}
// We need to do that ugly casting so that vet does not complain
assert.Equal(t, uiEvt(termbox.Event(event)), expetced)
}