proc/escape.c: Prevent buffer overflows in escape_command().
This solves several problems: 1/ outbuf[1] was written to, but not outbuf[0], which was left uninitialized (well, SECURE_ESCAPE_ARGS() already fixes this, but do it explicitly as well); we know it is safe to write one byte to outbuf, because SECURE_ESCAPE_ARGS() guarantees it. 2/ If bytes was 1, the write to outbuf[1] was an off-by-one overflow. 3/ Do not call escape_str() with a 0 bufsize if bytes == overhead. 4/ Prevent various buffer overflows if bytes <= overhead.
This commit is contained in:
parent
37ce162604
commit
7efa102248
@ -217,11 +217,10 @@ int escape_command(char *restrict const outbuf, const proc_t *restrict const pp,
|
||||
if(pp->state=='Z') overhead += 10; // chars in " <defunct>"
|
||||
else flags &= ~ESC_DEFUNCT;
|
||||
}
|
||||
if(overhead + 1 >= *cells){ // if no room for even one byte of the command name
|
||||
// you'd damn well better have _some_ space
|
||||
// outbuf[0] = '-'; // Oct23
|
||||
outbuf[1] = '\0';
|
||||
return 1;
|
||||
if(overhead + 1 >= *cells || // if no room for even one byte of the command name
|
||||
overhead + 1 >= bytes){
|
||||
outbuf[0] = '\0';
|
||||
return 0;
|
||||
}
|
||||
if(flags & ESC_BRACKETS){
|
||||
outbuf[end++] = '[';
|
||||
|
Loading…
Reference in New Issue
Block a user