0051-proc/escape.c: Prevent buffer overflows in escape_command().
This solves several problems: 1/ outbuf[1] was written to, but not outbuf[0], which was left uninitialized (well, SECURE_ESCAPE_ARGS() already fixes this, but do it explicitly as well); we know it is safe to write one byte to outbuf, because SECURE_ESCAPE_ARGS() guarantees it. 2/ If bytes was 1, the write to outbuf[1] was an off-by-one overflow. 3/ Do not call escape_str() with a 0 bufsize if bytes == overhead. 4/ Prevent various buffer overflows if bytes <= overhead.
This commit is contained in:
parent
1eddce14c3
commit
1e48648b82
@ -216,11 +216,10 @@ int escape_command(char *restrict const outbuf, const proc_t *restrict const pp,
|
|||||||
if(pp->state=='Z') overhead += 10; // chars in " <defunct>"
|
if(pp->state=='Z') overhead += 10; // chars in " <defunct>"
|
||||||
else flags &= ~ESC_DEFUNCT;
|
else flags &= ~ESC_DEFUNCT;
|
||||||
}
|
}
|
||||||
if(overhead + 1 >= *cells){ // if no room for even one byte of the command name
|
if(overhead + 1 >= *cells || // if no room for even one byte of the command name
|
||||||
// you'd damn well better have _some_ space
|
overhead + 1 >= bytes){
|
||||||
// outbuf[0] = '-'; // Oct23
|
outbuf[0] = '\0';
|
||||||
outbuf[1] = '\0';
|
return 0;
|
||||||
return 1;
|
|
||||||
}
|
}
|
||||||
if(flags & ESC_BRACKETS){
|
if(flags & ESC_BRACKETS){
|
||||||
outbuf[end++] = '[';
|
outbuf[end++] = '[';
|
||||||
|
Loading…
Reference in New Issue
Block a user