Date: Sun, 16 Mar 1997 18:10:03 -0800 (PST) From: John Capo <jc@irbs.com> To: freebsd-bugs Subject: Re: bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c Message-ID: <199703170210.SAA12639@freefall.freebsd.org>
index | next in thread | raw e-mail
The following reply was made to PR bin/2983; it has been noted by GNATS.
From: John Capo <jc@irbs.com>
To: gnats-bugs@gnats.netbsd.org, FreeBSD-gnats-submit@FreeBSD.ORG
Cc: Subject: Re: bin/2983: Security bug (buffer overflow) in lib/libterm/tgoto.c
Date: Sun, 16 Mar 1997 21:00:33 -0500
Index: tgoto.c
===================================================================
RCS file: /usr/cvs/src/lib/libtermcap/tgoto.c,v
retrieving revision 1.2.4.1
diff -u -r1.2.4.1 tgoto.c
--- tgoto.c 1995/09/02 17:42:15 1.2.4.1
+++ tgoto.c 1997/03/17 01:58:47
@@ -40,6 +40,7 @@
#define CTRL(c) ((c) & 037)
#define MAXRETURNSIZE 64
+#define MAXRESULTSIZE (MAXRETURNSIZE - sizeof (added) - 4)
char *UP;
char *BC;
@@ -87,7 +88,7 @@
return ("OOPS");
}
added[0] = 0;
- while (c = *cp++) {
+ while ((c = *cp++) && dp - result < MAXRESULTSIZE) {
if (c != '%') {
*dp++ = c;
continue;
@@ -159,15 +160,21 @@
* like nondestructive space.
*/
if (which == 0 || which == CTRL('d') || /* which == '\t' || */ which == '\n') {
- if (oncol || UP) /* Assumption: backspace works */
+ if (oncol || UP) { /* Assumption: backspace works */
+ int length;
+
+ length = sizeof (added) - 1;
+ added[length] = '\0';
/*
* Loop needed because newline happens
* to be the successor of tab.
*/
do {
- strcat(added, oncol ? (BC ? BC : "\b") : UP);
+ strncat(added, oncol ? (BC ? BC : "\b") : UP, length);
which++;
- } while (which == '\n');
+ length -= strlen(added);
+ } while (which == '\n' && length > 1);
+ }
}
*dp++ = which;
goto swap;
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703170210.SAA12639>