Buffer overflow fix - closes PR bin/2983 for -current. Should really

go into 2.2.0 Release, even at the present time. Problem spotted by Tero Kivinen <kivinen@ssh.fi> - was in BugTraq today :-(
1997-03-17 09:30:19 +00:00 · 1997-03-17 09:30:19 +00:00 · 92d1e8a27b
commit 92d1e8a27b
parent f721b0c392
1 changed files with 14 additions and 0 deletions
--- a/lib/libtermcap/tgoto.c
+++ b/lib/libtermcap/tgoto.c
@ -90,6 +90,8 @@ tgoto(const char *CM, int destcol, int destline)
 	added[0] = 0;
 	while ( (c = *cp++) ) {
 		if (c != '%') {
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = c;
 			continue;
 		}
@ -110,14 +112,20 @@ tgoto(const char *CM, int destcol, int destline)
 			/* fall into... */

 		case '3':
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = (which / 100) | '0';
 			which %= 100;
 			/* fall into... */

 		case '2':
 two:
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = which / 10 | '0';
 one:
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = which % 10 | '0';
 swap:
 			oncol = 1 - oncol;
@ -170,6 +178,8 @@ tgoto(const char *CM, int destcol, int destline)
 						which++;
 					} while (which == '\n');
 			}
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = which;
 			goto swap;

@ -184,6 +194,8 @@ tgoto(const char *CM, int destcol, int destline)
 			continue;

 		case '%':
+			if (dp >= &result[MAXRETURNSIZE])
+				return ("OVERFLOW");
 			*dp++ = c;
 			continue;

@ -203,6 +215,8 @@ tgoto(const char *CM, int destcol, int destline)
 			goto toohard;
 		}
 	}
+	if (dp+strlen(added)+1 > &result[MAXRETURNSIZE])
+		return ("OVERFLOW");
 	strcpy(dp, added);
 	return (result);
 }