From 5f654f143a30aa05083ca5bb81047afe5e5f597c Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH] 0088-pmap: Always check the return value of fgets().

Otherwise "the contents of the array remain unchanged and a null pointer
is returned" or "the array contents are indeterminate and a null pointer
is returned".

Signed-off-by: Craig Small <csmall@enc.com.au>
---
 pmap.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/pmap.c b/pmap.c
index 6d33c2d5..b8ae1529 100644
--- a/pmap.c
+++ b/pmap.c
@@ -333,6 +333,8 @@ static void print_extended_maps (FILE *f)
 		c = mapbuf[strlen(mapbuf) - 1];
 		while (c != '\n') {
 			fgets(mapbuf, sizeof mapbuf, f);
+			if (!ret || !mapbuf[0])
+				xerrx(EXIT_FAILURE, _("Unknown format in smaps file!"));
 			c = mapbuf[strlen(mapbuf) - 1];
 		}
 
@@ -344,8 +346,8 @@ static void print_extended_maps (FILE *f)
 		if (strlen(inode ) > maxw5)	maxw5 = strlen(inode);
 
 		ret = fgets(mapbuf, sizeof mapbuf, f);
-		nfields = sscanf(mapbuf, "%"DETL"[^:]: %"NUML"[0-9] kB %c",
-				 detail_desc, value_str, &c);
+		nfields = ret ? sscanf(mapbuf, "%"DETL"[^:]: %"NUML"[0-9] kB %c",
+					detail_desc, value_str, &c) : 0;
 		listnode = listhead;
 		/* === READ MAPPING DETAILS === */
 		while (ret != NULL && nfields == 2) {
@@ -387,12 +389,12 @@ static void print_extended_maps (FILE *f)
 			listnode = listnode->next;
 loop_end:
 			ret = fgets(mapbuf, sizeof mapbuf, f);
-			nfields = sscanf(mapbuf, "%"DETL"[^:]: %"NUML"[0-9] kB %c",
-					 detail_desc, value_str, &c);
+			nfields = ret ? sscanf(mapbuf, "%"DETL"[^:]: %"NUML"[0-9] kB %c",
+						detail_desc, value_str, &c) : 0;
 		}
 
 		/* === GET VMFLAGS === */
-		nfields = sscanf(mapbuf, "VmFlags: %[a-z ]", vmflags);
+		nfields = ret ? sscanf(mapbuf, "VmFlags: %[a-z ]", vmflags) : 0;
 		if (nfields == 1) {
 			if (! has_vmflags) has_vmflags = 1;
 			ret = fgets(mapbuf, sizeof mapbuf, f);