From 2503ec36304d961fb7b8eebb5f6a38ba58247bb1 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH] w: Clamp maxcmd to the MIN/MAX_CMD_WIDTH range.

The current checks allow out-of-range values (for example, if
getenv/atoi returns ~-2GB, maxcmd becomes ~+2GB after the subtraction).
This is not a security problem, none of this is under an attacker's
control.
---
 w.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/w.c b/w.c
index b3c06446..35710a3a 100644
--- a/w.c
+++ b/w.c
@@ -579,11 +579,14 @@ int main(int argc, char **argv)
 		maxcmd = atoi(p);
 	else
 		maxcmd = MAX_CMD_WIDTH;
-	if (MAX_CMD_WIDTH < maxcmd)
-		maxcmd = MAX_CMD_WIDTH;
+#define CLAMP_CMD_WIDTH(cw) do { \
+	if ((cw) < MIN_CMD_WIDTH) (cw) = MIN_CMD_WIDTH; \
+	if ((cw) > MAX_CMD_WIDTH) (cw) = MAX_CMD_WIDTH; \
+} while (0)
+	CLAMP_CMD_WIDTH(maxcmd);
 	maxcmd -= 21 + userlen + (from ? fromlen : 0) + (longform ? 20 : 0);
-	if (maxcmd < MIN_CMD_WIDTH)
-        maxcmd = MIN_CMD_WIDTH;
+	CLAMP_CMD_WIDTH(maxcmd);
+#undef CLAMP_CMD_WIDTH
 
 	procs = readproctab(PROC_FILLCOM | PROC_FILLUSR | PROC_FILLSTAT);