proc/escape.c: Prevent buffer overflows in escape_command().

This solves several problems:

1/ outbuf[1] was written to, but not outbuf[0], which was left
uninitialized (well, SECURE_ESCAPE_ARGS() already fixes this, but do it
explicitly as well); we know it is safe to write one byte to outbuf,
because SECURE_ESCAPE_ARGS() guarantees it.

2/ If bytes was 1, the write to outbuf[1] was an off-by-one overflow.

3/ Do not call escape_str() with a 0 bufsize if bytes == overhead.

4/ Prevent various buffer overflows if bytes <= overhead.
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent 37ce162604
commit 7efa102248

View File

@ -217,11 +217,10 @@ int escape_command(char *restrict const outbuf, const proc_t *restrict const pp,
if(pp->state=='Z') overhead += 10; // chars in " <defunct>"
else flags &= ~ESC_DEFUNCT;
}
if(overhead + 1 >= *cells){ // if no room for even one byte of the command name
// you'd damn well better have _some_ space
// outbuf[0] = '-'; // Oct23
outbuf[1] = '\0';
return 1;
if(overhead + 1 >= *cells || // if no room for even one byte of the command name
overhead + 1 >= bytes){
outbuf[0] = '\0';
return 0;
}
if(flags & ESC_BRACKETS){
outbuf[end++] = '[';