1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
|
From 030437e33edd640f3de87d31006bd951a25d5efa Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Fri, 11 Apr 2014 19:35:54 +0000
Subject: [PATCH 2/6] Don't blindly increase offsets by the return value of
snprintf, if there wasn't enough space this will go off the end. Instead
clamp to the available space. Fixes crash reported by Julien Rebetez.
---
arguments.c | 12 +++++++++---
cmd-list.c | 10 +++++++---
window-copy.c | 14 ++++++++------
3 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/arguments.c b/arguments.c
index d4e5e53..fd656b1 100644
--- a/arguments.c
+++ b/arguments.c
@@ -125,7 +125,7 @@ args_free(struct args *args)
size_t
args_print(struct args *args, char *buf, size_t len)
{
- size_t off;
+ size_t off, used;
int i;
const char *quotes;
struct args_entry *entry;
@@ -165,9 +165,12 @@ args_print(struct args *args, char *buf, size_t len)
quotes = "\"";
else
quotes = "";
- off += xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
+ used = xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
off != 0 ? " " : "", entry->flag, quotes, entry->value,
quotes);
+ if (used > len - off)
+ used = len - off;
+ off += used;
}
/* And finally the argument vector. */
@@ -181,8 +184,11 @@ args_print(struct args *args, char *buf, size_t len)
quotes = "\"";
else
quotes = "";
- off += xsnprintf(buf + off, len - off, "%s%s%s%s",
+ used = xsnprintf(buf + off, len - off, "%s%s%s%s",
off != 0 ? " " : "", quotes, args->argv[i], quotes);
+ if (used > len - off)
+ used = len - off;
+ off += used;
}
return (off);
diff --git a/cmd-list.c b/cmd-list.c
index 08e2067..7ef8d1c 100644
--- a/cmd-list.c
+++ b/cmd-list.c
@@ -103,7 +103,7 @@ size_t
cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
{
struct cmd *cmd;
- size_t off;
+ size_t off, used;
off = 0;
TAILQ_FOREACH(cmd, &cmdlist->list, qentry) {
@@ -112,8 +112,12 @@ cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
off += cmd_print(cmd, buf + off, len - off);
if (off >= len)
break;
- if (TAILQ_NEXT(cmd, qentry) != NULL)
- off += xsnprintf(buf + off, len - off, " ; ");
+ if (TAILQ_NEXT(cmd, qentry) != NULL) {
+ used = xsnprintf(buf + off, len - off, " ; ");
+ if (used > len - off)
+ used = len - off;
+ off += used;
+ }
}
return (off);
}
diff --git a/window-copy.c b/window-copy.c
index 527c95c..55f7f3a 100644
--- a/window-copy.c
+++ b/window-copy.c
@@ -1185,8 +1185,8 @@ window_copy_write_line(
screen_write_puts(ctx, &gc, "%s", hdr);
} else if (py == last && data->inputtype != WINDOW_COPY_OFF) {
limit = sizeof hdr;
- if (limit > screen_size_x(s))
- limit = screen_size_x(s);
+ if (limit > screen_size_x(s) + 1)
+ limit = screen_size_x(s) + 1;
if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) {
xoff = size = xsnprintf(hdr, limit,
"Repeat: %u", data->numprefix);
@@ -1199,10 +1199,12 @@ window_copy_write_line(
} else
size = 0;
- screen_write_cursormove(ctx, xoff, py);
- screen_write_copy(ctx, data->backing, xoff,
- (screen_hsize(data->backing) - data->oy) + py,
- screen_size_x(s) - size, 1);
+ if (size < screen_size_x(s)) {
+ screen_write_cursormove(ctx, xoff, py);
+ screen_write_copy(ctx, data->backing, xoff,
+ (screen_hsize(data->backing) - data->oy) + py,
+ screen_size_x(s) - size, 1);
+ }
if (py == data->cy && data->cx == screen_size_x(s)) {
memcpy(&gc, &grid_default_cell, sizeof gc);
--
1.9.2
|