Re: user.c:extract_line buffer overflow

From: "Andrew V. Samoilov" <andrew email zp ua>
To: Pavel Roskin <proski gnu org>
Cc: mc-devel gnome org
Subject: Re: user.c:extract_line buffer overflow
Date: Mon, 26 Jan 2004 10:24:27 +0200 (EET)

> On Fri, 23 Jan 2004, Andrew V. Samoilov wrote:
> 
> > Hello,
> >
> > I see you have a huge queue of patches to review.
> > One more trivial, please.
> 
> Applied, thank you!

Thanks, but it was old patch, I am sorry.
Related patch attached.

-- 
Regards,
Andrew V. Samoilov.

src/ChangeLog:

	* user.c (extract_line): Add a new parameter (size of the
	output buffer) to prevent buffer overflow.

--- user.c.bak	Mon Dec  8 19:54:13 2003
+++ user.c	Fri Jan 23 18:43:53 2004
@@ -300,13 +300,15 @@
 
 /* Copies a whitespace separated argument from p to arg. Returns the
    point after argument. */
-static char *extract_arg (char *p, char *arg)
+static char *extract_arg (char *p, char *arg, int size)
 {
     while (*p && (*p == ' ' || *p == '\t' || *p == '\n'))
 	p++;
                 /* support quote space .mnu */
-    while (*p && (*p != ' ' || *(p-1) == '\\') && *p != '\t' && *p != '\n')
+    while (size > 1 && *p && (*p != ' ' || *(p-1) == '\\') && *p != '\t' && *p != '\n') {
 	*arg++ = *p++;
+	size--;
+    }
     *arg = 0;
     if (!*p || *p == '\n')
 	p --;
@@ -389,29 +391,29 @@ static char *test_condition (WEdit *edit
 	    p--;
 	    break;
 	case 'f': /* file name pattern */
-	    p = extract_arg (p, arg);
+	    p = extract_arg (p, arg, sizeof (arg));
 	    *condition = panel && regexp_match (arg, panel->dir.list [panel->selected].fname, match_file);
 	    break;
 	case 'y': /* syntax pattern */
             if (edit_widget && edit_widget->syntax_type) {
-	        p = extract_arg (p, arg);
+	        p = extract_arg (p, arg, sizeof (arg));
 	        *condition = panel &&
                     regexp_match (arg, edit_widget->syntax_type, match_normal);
 	    }
-                break;
+            break;
 	case 'd':
-	    p = extract_arg (p, arg);
+	    p = extract_arg (p, arg, sizeof (arg));
 	    *condition = panel && regexp_match (arg, panel->cwd, match_file);
 	    break;
 	case 't':
-	    p = extract_arg (p, arg);
+	    p = extract_arg (p, arg, sizeof (arg));
 	    *condition = panel && test_type (panel, arg);
 	    break;
 	case 'x': /* executable */
 	{
 	    struct stat status;
 	    
-	    p = extract_arg (p, arg);
+	    p = extract_arg (p, arg, sizeof (arg));
 	    if (stat (arg, &status) == 0)
 		*condition = is_exe (status.st_mode);
 	    else

References:
- Re: user.c:extract_line buffer overflow
  - From: Pavel Roskin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]