diff options
| author | eivind <eivind@FreeBSD.org> | 1997-03-17 09:30:19 +0000 |
|---|---|---|
| committer | eivind <eivind@FreeBSD.org> | 1997-03-17 09:30:19 +0000 |
| commit | 1062c914df46ad60942bb36e0bf0e6d8dc429171 (patch) | |
| tree | 7de5bb239df772fe4dd28f6e0d6a2ff68678dd07 /lib/libtermcap | |
| parent | 5969e8211210f2d21571d05703b84e3a9b37586d (diff) | |
| download | FreeBSD-src-1062c914df46ad60942bb36e0bf0e6d8dc429171.zip FreeBSD-src-1062c914df46ad60942bb36e0bf0e6d8dc429171.tar.gz | |
Buffer overflow fix - closes PR bin/2983 for -current. Should really
go into 2.2.0 Release, even at the present time. Problem spotted by
Tero Kivinen <kivinen@ssh.fi> - was in BugTraq today :-(
Diffstat (limited to 'lib/libtermcap')
| -rw-r--r-- | lib/libtermcap/tgoto.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/libtermcap/tgoto.c b/lib/libtermcap/tgoto.c index 85b8d57..ca49302 100644 --- a/lib/libtermcap/tgoto.c +++ b/lib/libtermcap/tgoto.c @@ -90,6 +90,8 @@ toohard: added[0] = 0; while ( (c = *cp++) ) { if (c != '%') { + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = c; continue; } @@ -110,14 +112,20 @@ toohard: /* fall into... */ case '3': + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = (which / 100) | '0'; which %= 100; /* fall into... */ case '2': two: + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = which / 10 | '0'; one: + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = which % 10 | '0'; swap: oncol = 1 - oncol; @@ -170,6 +178,8 @@ casedot: which++; } while (which == '\n'); } + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = which; goto swap; @@ -184,6 +194,8 @@ casedot: continue; case '%': + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = c; continue; @@ -203,6 +215,8 @@ casedot: goto toohard; } } + if (dp+strlen(added)+1 > &result[MAXRETURNSIZE]) + return ("OVERFLOW"); strcpy(dp, added); return (result); } |
