From 1062c914df46ad60942bb36e0bf0e6d8dc429171 Mon Sep 17 00:00:00 2001
From: eivind <eivind@FreeBSD.org>
Date: Mon, 17 Mar 1997 09:30:19 +0000
Subject: Buffer overflow fix - closes PR bin/2983 for -current.  Should really
 go into 2.2.0 Release, even at the present time.  Problem spotted by Tero
 Kivinen <kivinen@ssh.fi> - was in BugTraq today :-(

---
 lib/libtermcap/tgoto.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'lib/libtermcap')

diff --git a/lib/libtermcap/tgoto.c b/lib/libtermcap/tgoto.c
index 85b8d57..ca49302 100644
--- a/lib/libtermcap/tgoto.c
+++ b/lib/libtermcap/tgoto.c
@@ -90,6 +90,8 @@ toohard:
 	added[0] = 0;
 	while ( (c = *cp++) ) {
 		if (c != '%') {
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = c;
 			continue;
 		}
@@ -110,14 +112,20 @@ toohard:
 			/* fall into... */
 
 		case '3':
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = (which / 100) | '0';
 			which %= 100;
 			/* fall into... */
 
 		case '2':
 two:
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = which / 10 | '0';
 one:
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = which % 10 | '0';
 swap:
 			oncol = 1 - oncol;
@@ -170,6 +178,8 @@ casedot:
 						which++;
 					} while (which == '\n');
 			}
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = which;
 			goto swap;
 
@@ -184,6 +194,8 @@ casedot:
 			continue;
 
 		case '%':
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = c;
 			continue;
 
@@ -203,6 +215,8 @@ casedot:
 			goto toohard;
 		}
 	}
+	if (dp+strlen(added)+1 > &result[MAXRETURNSIZE])
+		return ("OVERFLOW");
 	strcpy(dp, added);
 	return (result);
 }
-- 
cgit v1.1