top: Prevent buffer overflow in calibrate_fields().

pflgsall[] can contain PFLAGSSIZ = 100 elements, each iteration of the
loop can write 3 elements to pflgsall[], and there are EU_MAXPFLGS = 58
iterations: a buffer overflow (it can be triggered via the configuration
file, for example, by filling "fieldscur" with the "sortindx" flag).
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent a71ac048e6
commit c424a64331

View File

@ -2143,12 +2143,13 @@ static void calibrate_fields (void) {
w->hdrcaplen = 0; // really only used with USE_X_COLHDR w->hdrcaplen = 0; // really only used with USE_X_COLHDR
// build window's pflgsall array, establish upper bounds for maxpflgs // build window's pflgsall array, establish upper bounds for maxpflgs
for (i = 0, w->totpflgs = 0; i < EU_MAXPFLGS; i++) { for (i = 0, w->totpflgs = 0; i < EU_MAXPFLGS; i++) {
if (FLDviz(w, i)) { if (FLDviz(w, i) && w->totpflgs < PFLAGSSIZ) {
f = FLDget(w, i); f = FLDget(w, i);
#ifdef USE_X_COLHDR #ifdef USE_X_COLHDR
w->pflgsall[w->totpflgs++] = f; w->pflgsall[w->totpflgs++] = f;
#else #else
if (CHKw(w, Show_HICOLS) && f == w->rc.sortindx) { if (CHKw(w, Show_HICOLS) && f == w->rc.sortindx &&
w->totpflgs <= PFLAGSSIZ - 3) {
w->pflgsall[w->totpflgs++] = EU_XON; w->pflgsall[w->totpflgs++] = EU_XON;
w->pflgsall[w->totpflgs++] = f; w->pflgsall[w->totpflgs++] = f;
w->pflgsall[w->totpflgs++] = EU_XOF; w->pflgsall[w->totpflgs++] = EU_XOF;