ps/output.c: Harden forest_helper().
This patch solves several problems: 1/ Limit the number of characters written (to outbuf) to OUTBUF_SIZE-1 (-1 for the null-terminator). 2/ Always null-terminate outbuf at q. 3/ Move the "rightward" checks *before* the strcpy() calls. 4/ Avoid an integer overflow in these checks (e.g., rightward-4).
This commit is contained in:
parent
62f19dc5df
commit
d31f5eb545
13
ps/output.c
13
ps/output.c
@ -339,11 +339,13 @@ STIME stime hms or md time format
|
|||||||
static int forest_helper(char *restrict const outbuf){
|
static int forest_helper(char *restrict const outbuf){
|
||||||
char *p = forest_prefix;
|
char *p = forest_prefix;
|
||||||
char *q = outbuf;
|
char *q = outbuf;
|
||||||
int rightward=max_rightward;
|
int rightward = max_rightward < OUTBUF_SIZE ? max_rightward : OUTBUF_SIZE-1;
|
||||||
|
*q = '\0';
|
||||||
if(!*p) return 0;
|
if(!*p) return 0;
|
||||||
/* Arrrgh! somebody defined unix as 1 */
|
/* Arrrgh! somebody defined unix as 1 */
|
||||||
if(forest_type == 'u') goto unixy;
|
if(forest_type == 'u') goto unixy;
|
||||||
while(*p){
|
while(*p){
|
||||||
|
if (rightward < 4) break;
|
||||||
switch(*p){
|
switch(*p){
|
||||||
case ' ': strcpy(q, " "); break;
|
case ' ': strcpy(q, " "); break;
|
||||||
case 'L': strcpy(q, " \\_ "); break;
|
case 'L': strcpy(q, " \\_ "); break;
|
||||||
@ -351,10 +353,6 @@ static int forest_helper(char *restrict const outbuf){
|
|||||||
case '|': strcpy(q, " | "); break;
|
case '|': strcpy(q, " | "); break;
|
||||||
case '\0': return q-outbuf; /* redundant & not used */
|
case '\0': return q-outbuf; /* redundant & not used */
|
||||||
}
|
}
|
||||||
if (rightward-4 < 0) {
|
|
||||||
*(q+rightward)='\0';
|
|
||||||
return max_rightward;
|
|
||||||
}
|
|
||||||
q += 4;
|
q += 4;
|
||||||
rightward -= 4;
|
rightward -= 4;
|
||||||
p++;
|
p++;
|
||||||
@ -362,6 +360,7 @@ static int forest_helper(char *restrict const outbuf){
|
|||||||
return q-outbuf; /* gcc likes this here */
|
return q-outbuf; /* gcc likes this here */
|
||||||
unixy:
|
unixy:
|
||||||
while(*p){
|
while(*p){
|
||||||
|
if (rightward < 2) break;
|
||||||
switch(*p){
|
switch(*p){
|
||||||
case ' ': strcpy(q, " "); break;
|
case ' ': strcpy(q, " "); break;
|
||||||
case 'L': strcpy(q, " "); break;
|
case 'L': strcpy(q, " "); break;
|
||||||
@ -369,10 +368,6 @@ unixy:
|
|||||||
case '|': strcpy(q, " "); break;
|
case '|': strcpy(q, " "); break;
|
||||||
case '\0': return q-outbuf; /* redundant & not used */
|
case '\0': return q-outbuf; /* redundant & not used */
|
||||||
}
|
}
|
||||||
if (rightward-2 < 0) {
|
|
||||||
*(q+rightward)='\0';
|
|
||||||
return max_rightward;
|
|
||||||
}
|
|
||||||
q += 2;
|
q += 2;
|
||||||
rightward -= 2;
|
rightward -= 2;
|
||||||
p++;
|
p++;
|
||||||
|
Loading…
Reference in New Issue
Block a user