summaryrefslogtreecommitdiffstats
path: root/lib/libtermcap
diff options
context:
space:
mode:
authoreivind <eivind@FreeBSD.org>1997-03-17 09:30:19 +0000
committereivind <eivind@FreeBSD.org>1997-03-17 09:30:19 +0000
commit1062c914df46ad60942bb36e0bf0e6d8dc429171 (patch)
tree7de5bb239df772fe4dd28f6e0d6a2ff68678dd07 /lib/libtermcap
parent5969e8211210f2d21571d05703b84e3a9b37586d (diff)
downloadFreeBSD-src-1062c914df46ad60942bb36e0bf0e6d8dc429171.zip
FreeBSD-src-1062c914df46ad60942bb36e0bf0e6d8dc429171.tar.gz
Buffer overflow fix - closes PR bin/2983 for -current. Should really
go into 2.2.0 Release, even at the present time. Problem spotted by Tero Kivinen <kivinen@ssh.fi> - was in BugTraq today :-(
Diffstat (limited to 'lib/libtermcap')
-rw-r--r--lib/libtermcap/tgoto.c14
1 files changed, 14 insertions, 0 deletions
diff --git a/lib/libtermcap/tgoto.c b/lib/libtermcap/tgoto.c
index 85b8d57..ca49302 100644
--- a/lib/libtermcap/tgoto.c
+++ b/lib/libtermcap/tgoto.c
@@ -90,6 +90,8 @@ toohard:
added[0] = 0;
while ( (c = *cp++) ) {
if (c != '%') {
+ if (dp >= &result[MAXRETURNSIZE])
+ return ("OVERFLOW");
*dp++ = c;
continue;
}
@@ -110,14 +112,20 @@ toohard:
/* fall into... */
case '3':
+ if (dp >= &result[MAXRETURNSIZE])
+ return ("OVERFLOW");
*dp++ = (which / 100) | '0';
which %= 100;
/* fall into... */
case '2':
two:
+ if (dp >= &result[MAXRETURNSIZE])
+ return ("OVERFLOW");
*dp++ = which / 10 | '0';
one:
+ if (dp >= &result[MAXRETURNSIZE])
+ return ("OVERFLOW");
*dp++ = which % 10 | '0';
swap:
oncol = 1 - oncol;
@@ -170,6 +178,8 @@ casedot:
which++;
} while (which == '\n');
}
+ if (dp >= &result[MAXRETURNSIZE])
+ return ("OVERFLOW");
*dp++ = which;
goto swap;
@@ -184,6 +194,8 @@ casedot:
continue;
case '%':
+ if (dp >= &result[MAXRETURNSIZE])
+ return ("OVERFLOW");
*dp++ = c;
continue;
@@ -203,6 +215,8 @@ casedot:
goto toohard;
}
}
+ if (dp+strlen(added)+1 > &result[MAXRETURNSIZE])
+ return ("OVERFLOW");
strcpy(dp, added);
return (result);
}
OpenPOWER on IntegriCloud