From 43c4d553e66f4c39ed6243ed278865431a66d019 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 Subject: [PATCH] 0053-ps/output.c: Harden forest_helper(). This patch solves several problems: 1/ Limit the number of characters written (to outbuf) to OUTBUF_SIZE-1 (-1 for the null-terminator). 2/ Always null-terminate outbuf at q. 3/ Move the "rightward" checks *before* the strcpy() calls. 4/ Avoid an integer overflow in these checks (e.g., rightward-4). --- ps/output.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/ps/output.c b/ps/output.c index 503dba64..8c19239b 100644 --- a/ps/output.c +++ b/ps/output.c @@ -224,11 +224,13 @@ STIME stime hms or md time format static int forest_helper(char *restrict const outbuf){ char *p = forest_prefix; char *q = outbuf; - int rightward=max_rightward; + int rightward = max_rightward < OUTBUF_SIZE ? max_rightward : OUTBUF_SIZE-1; + *q = '\0'; if(!*p) return 0; /* Arrrgh! somebody defined unix as 1 */ if(forest_type == 'u') goto unixy; while(*p){ + if (rightward < 4) break; switch(*p){ case ' ': strcpy(q, " "); break; case 'L': strcpy(q, " \\_ "); break; @@ -236,10 +238,6 @@ static int forest_helper(char *restrict const outbuf){ case '|': strcpy(q, " | "); break; case '\0': return q-outbuf; /* redundant & not used */ } - if (rightward-4 < 0) { - *(q+rightward)='\0'; - return max_rightward; - } q += 4; rightward -= 4; p++; @@ -247,6 +245,7 @@ static int forest_helper(char *restrict const outbuf){ return q-outbuf; /* gcc likes this here */ unixy: while(*p){ + if (rightward < 2) break; switch(*p){ case ' ': strcpy(q, " "); break; case 'L': strcpy(q, " "); break; @@ -254,10 +253,6 @@ unixy: case '|': strcpy(q, " "); break; case '\0': return q-outbuf; /* redundant & not used */ } - if (rightward-2 < 0) { - *(q+rightward)='\0'; - return max_rightward; - } q += 2; rightward -= 2; p++;