diff options
| author | nicm <nicm> | 2014-04-11 19:35:54 +0000 |
|---|---|---|
| committer | nicm <nicm> | 2014-04-11 19:35:54 +0000 |
| commit | b8bda67f304b7c70dee891b7ca660036793c2a4b (patch) | |
| tree | dded327c5a855dddbbdddf68220868207dca3b10 | |
| parent | 73c5a487c1b0f10bbc36479f425fb9cea512be7b (diff) | |
Don't blindly increase offsets by the return value of snprintf, if there
wasn't enough space this will go off the end. Instead clamp to the
available space. Fixes crash reported by Julien Rebetez.
| -rw-r--r-- | arguments.c | 12 | ||||
| -rw-r--r-- | cmd-list.c | 10 | ||||
| -rw-r--r-- | window-copy.c | 14 |
3 files changed, 24 insertions, 12 deletions
diff --git a/arguments.c b/arguments.c index 5ff7ed2c..ca6cc760 100644 --- a/arguments.c +++ b/arguments.c @@ -125,7 +125,7 @@ args_free(struct args *args) size_t args_print(struct args *args, char *buf, size_t len) { - size_t off; + size_t off, used; int i; const char *quotes; struct args_entry *entry; @@ -165,9 +165,12 @@ args_print(struct args *args, char *buf, size_t len) quotes = "\""; else quotes = ""; - off += xsnprintf(buf + off, len - off, "%s-%c %s%s%s", + used = xsnprintf(buf + off, len - off, "%s-%c %s%s%s", off != 0 ? " " : "", entry->flag, quotes, entry->value, quotes); + if (used > len - off) + used = len - off; + off += used; } /* And finally the argument vector. */ @@ -181,8 +184,11 @@ args_print(struct args *args, char *buf, size_t len) quotes = "\""; else quotes = ""; - off += xsnprintf(buf + off, len - off, "%s%s%s%s", + used = xsnprintf(buf + off, len - off, "%s%s%s%s", off != 0 ? " " : "", quotes, args->argv[i], quotes); + if (used > len - off) + used = len - off; + off += used; } return (off); @@ -103,7 +103,7 @@ size_t cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len) { struct cmd *cmd; - size_t off; + size_t off, used; off = 0; TAILQ_FOREACH(cmd, &cmdlist->list, qentry) { @@ -112,8 +112,12 @@ cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len) off += cmd_print(cmd, buf + off, len - off); if (off >= len) break; - if (TAILQ_NEXT(cmd, qentry) != NULL) - off += xsnprintf(buf + off, len - off, " ; "); + if (TAILQ_NEXT(cmd, qentry) != NULL) { + used = xsnprintf(buf + off, len - off, " ; "); + if (used > len - off) + used = len - off; + off += used; + } } return (off); } diff --git a/window-copy.c b/window-copy.c index 6e4d6704..c33a4c3b 100644 --- a/window-copy.c +++ b/window-copy.c @@ -1194,8 +1194,8 @@ window_copy_write_line( screen_write_puts(ctx, &gc, "%s", hdr); } else if (py == last && data->inputtype != WINDOW_COPY_OFF) { limit = sizeof hdr; - if (limit > screen_size_x(s)) - limit = screen_size_x(s); + if (limit > screen_size_x(s) + 1) + limit = screen_size_x(s) + 1; if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) { xoff = size = xsnprintf(hdr, limit, "Repeat: %u", data->numprefix); @@ -1208,10 +1208,12 @@ window_copy_write_line( } else size = 0; - screen_write_cursormove(ctx, xoff, py); - screen_write_copy(ctx, data->backing, xoff, - (screen_hsize(data->backing) - data->oy) + py, - screen_size_x(s) - size, 1); + if (size < screen_size_x(s)) { + screen_write_cursormove(ctx, xoff, py); + screen_write_copy(ctx, data->backing, xoff, + (screen_hsize(data->backing) - data->oy) + py, + screen_size_x(s) - size, 1); + } if (py == data->cy && data->cx == screen_size_x(s)) { memcpy(&gc, &grid_default_cell, sizeof gc); |