Fix pager segfault when lineInfo.chunks overflows. (closes #3888)

The reporter had an html attachment with extremely long lines,
combined with a color pattern of "color body default default ."
This overflowed the lineInfo.chunks, causing a segfault.

Abort the body color patterns if this happens.

diff --git a/pager.c b/pager.c
index d7674eb30cb92cc31cfcf59ca39096e1f7624378..fee1aef05529474af9e12e04742eb44e7e681e87 100644 (file)
--- a/pager.c
+++ b/pager.c
@@ -868,6 +868,13 @@ resolve_types (char *buf, char *raw, struct line_t *lineInfo, int n, int last,
          {
            if (!found)
            {
+              /* Abort if we fill up chunks.
+               * Yes, this really happened. See #3888 */
+              if (lineInfo[n].chunks == SHRT_MAX)
+              {
+                null_rx = 0;
+                break;
+              }
              if (++(lineInfo[n].chunks) > 1)
                safe_realloc (&(lineInfo[n].syntax), 
                              (lineInfo[n].chunks) * sizeof (struct syntax_t));