From 92d1e8a27bd537bb77ea7c269ea3dd7952aa9bab Mon Sep 17 00:00:00 2001 From: Eivind Eklund Date: Mon, 17 Mar 1997 09:30:19 +0000 Subject: [PATCH] Buffer overflow fix - closes PR bin/2983 for -current. Should really go into 2.2.0 Release, even at the present time. Problem spotted by Tero Kivinen - was in BugTraq today :-( --- lib/libtermcap/tgoto.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/lib/libtermcap/tgoto.c b/lib/libtermcap/tgoto.c index 85b8d572cea0..ca493024f706 100644 --- a/lib/libtermcap/tgoto.c +++ b/lib/libtermcap/tgoto.c @@ -90,6 +90,8 @@ tgoto(const char *CM, int destcol, int destline) added[0] = 0; while ( (c = *cp++) ) { if (c != '%') { + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = c; continue; } @@ -110,14 +112,20 @@ tgoto(const char *CM, int destcol, int destline) /* fall into... */ case '3': + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = (which / 100) | '0'; which %= 100; /* fall into... */ case '2': two: + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = which / 10 | '0'; one: + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = which % 10 | '0'; swap: oncol = 1 - oncol; @@ -170,6 +178,8 @@ tgoto(const char *CM, int destcol, int destline) which++; } while (which == '\n'); } + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = which; goto swap; @@ -184,6 +194,8 @@ tgoto(const char *CM, int destcol, int destline) continue; case '%': + if (dp >= &result[MAXRETURNSIZE]) + return ("OVERFLOW"); *dp++ = c; continue; @@ -203,6 +215,8 @@ tgoto(const char *CM, int destcol, int destline) goto toohard; } } + if (dp+strlen(added)+1 > &result[MAXRETURNSIZE]) + return ("OVERFLOW"); strcpy(dp, added); return (result); }