ps/output.c: Harden forest_helper().

This patch solves several problems:

1/ Limit the number of characters written (to outbuf) to OUTBUF_SIZE-1
(-1 for the null-terminator).

2/ Always null-terminate outbuf at q.

3/ Move the "rightward" checks *before* the strcpy() calls.

4/ Avoid an integer overflow in these checks (e.g., rightward-4).
This commit is contained in:
Qualys Security Advisory 1970-01-01 00:00:00 +00:00 committed by Craig Small
parent 62f19dc5df
commit d31f5eb545

View File

@ -339,11 +339,13 @@ STIME stime hms or md time format
static int forest_helper(char *restrict const outbuf){ static int forest_helper(char *restrict const outbuf){
char *p = forest_prefix; char *p = forest_prefix;
char *q = outbuf; char *q = outbuf;
int rightward=max_rightward; int rightward = max_rightward < OUTBUF_SIZE ? max_rightward : OUTBUF_SIZE-1;
*q = '\0';
if(!*p) return 0; if(!*p) return 0;
/* Arrrgh! somebody defined unix as 1 */ /* Arrrgh! somebody defined unix as 1 */
if(forest_type == 'u') goto unixy; if(forest_type == 'u') goto unixy;
while(*p){ while(*p){
if (rightward < 4) break;
switch(*p){ switch(*p){
case ' ': strcpy(q, " "); break; case ' ': strcpy(q, " "); break;
case 'L': strcpy(q, " \\_ "); break; case 'L': strcpy(q, " \\_ "); break;
@ -351,10 +353,6 @@ static int forest_helper(char *restrict const outbuf){
case '|': strcpy(q, " | "); break; case '|': strcpy(q, " | "); break;
case '\0': return q-outbuf; /* redundant & not used */ case '\0': return q-outbuf; /* redundant & not used */
} }
if (rightward-4 < 0) {
*(q+rightward)='\0';
return max_rightward;
}
q += 4; q += 4;
rightward -= 4; rightward -= 4;
p++; p++;
@ -362,6 +360,7 @@ static int forest_helper(char *restrict const outbuf){
return q-outbuf; /* gcc likes this here */ return q-outbuf; /* gcc likes this here */
unixy: unixy:
while(*p){ while(*p){
if (rightward < 2) break;
switch(*p){ switch(*p){
case ' ': strcpy(q, " "); break; case ' ': strcpy(q, " "); break;
case 'L': strcpy(q, " "); break; case 'L': strcpy(q, " "); break;
@ -369,10 +368,6 @@ unixy:
case '|': strcpy(q, " "); break; case '|': strcpy(q, " "); break;
case '\0': return q-outbuf; /* redundant & not used */ case '\0': return q-outbuf; /* redundant & not used */
} }
if (rightward-2 < 0) {
*(q+rightward)='\0';
return max_rightward;
}
q += 2; q += 2;
rightward -= 2; rightward -= 2;
p++; p++;