# Extended 3.12 — src/win/winDebugWindow.c: newline-doubling stack overflow Bug ref : pharo.md §3.12 Severity : HIGH (stack overflow on input full of newlines) File : src/win/winDebugWindow.c Lines (HEAD) : 127, 182-193 (`scrollToPosition`) ## Problem ```c char logBuffer2[LOGBUFFER_SIZE * 2 + 1]; ... while(logIndex <= logLimit){ // <= writes the trailing NUL too if(logBuffer[logIndex] == '\n'){ logBuffer2[logIndex2] = '\r'; logIndex2++; } logBuffer2[logIndex2] = logBuffer[logIndex]; logIndex++; logIndex2++; } ``` For an input of `L` `\n` plus the NUL, output is `2 * (L + 1)` bytes (each `\n` becomes `\r\n`). The buffer is `2 * LOGBUFFER_SIZE + 1` — short by 1 when `L == LOGBUFFER_SIZE`. ## Fix Bound the write index against the buffer size; stop when full and log a truncation warning. ```diff diff --git a/src/win/winDebugWindow.c b/src/win/winDebugWindow.c index 9652927f6..c80182ee1 100644 --- a/src/win/winDebugWindow.c +++ b/src/win/winDebugWindow.c @@ -179,9 +179,11 @@ void scrollToPosition(){ } } - while(logIndex <= logLimit){ + while(logIndex <= logLimit + && logIndex2 < (LOGBUFFER_SIZE * 2)){ if(logBuffer[logIndex] == '\n'){ + if (logIndex2 + 1 >= (LOGBUFFER_SIZE * 2)) break; logBuffer2[logIndex2] = '\r'; logIndex2++; } @@ -192,6 +194,10 @@ void scrollToPosition(){ logIndex2 ++; } + /* Ensure NUL termination regardless of how the loop exited. */ + if (logIndex2 > (LOGBUFFER_SIZE * 2)) logIndex2 = LOGBUFFER_SIZE * 2; + logBuffer2[logIndex2] = '\0'; + MultiByteToWideChar(CP_UTF8, 0, logBuffer2, -1, logBufferWide, LOGBUFFER_SIZE + 1); SetDlgItemTextW(debugWindowHWND, IDC_LOGTEXT, logBufferWide); ``` ## Test plan - Set the log buffer to `LOGBUFFER_SIZE` newline characters. Before: stack overflow in the doubling loop. After: stops at buffer capacity, NUL-terminates, MBCS conversion succeeds. - Normal log content with sparse newlines: unchanged. ## Risk notes - The trailing NUL is now written explicitly; the +2 in the buffer size adds one byte to be safe. - If the loop short-circuits, the last visible line may be truncated; the operator sees the truncated content rather than a crash.