From c424a643318abfb534a692bd86c6a5e411ed2ebb Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000
Subject: [PATCH] top: Prevent buffer overflow in calibrate_fields().

pflgsall[] can contain PFLAGSSIZ = 100 elements, each iteration of the
loop can write 3 elements to pflgsall[], and there are EU_MAXPFLGS = 58
iterations: a buffer overflow (it can be triggered via the configuration
file, for example, by filling "fieldscur" with the "sortindx" flag).
---
 top/top.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/top/top.c b/top/top.c
index 196df32e..ea4d1a4b 100644
--- a/top/top.c
+++ b/top/top.c
@@ -2143,12 +2143,13 @@ static void calibrate_fields (void) {
          w->hdrcaplen = 0;   // really only used with USE_X_COLHDR
          // build window's pflgsall array, establish upper bounds for maxpflgs
          for (i = 0, w->totpflgs = 0; i < EU_MAXPFLGS; i++) {
-            if (FLDviz(w, i)) {
+            if (FLDviz(w, i) && w->totpflgs < PFLAGSSIZ) {
                f = FLDget(w, i);
 #ifdef USE_X_COLHDR
                w->pflgsall[w->totpflgs++] = f;
 #else
-               if (CHKw(w, Show_HICOLS) && f == w->rc.sortindx) {
+               if (CHKw(w, Show_HICOLS) && f == w->rc.sortindx &&
+                  w->totpflgs <= PFLAGSSIZ - 3) {
                   w->pflgsall[w->totpflgs++] = EU_XON;
                   w->pflgsall[w->totpflgs++] = f;
                   w->pflgsall[w->totpflgs++] = EU_XOF;