diff --git a/cmd.c b/cmd.c index 1ae0d97b..2e553a7c 100644 --- a/cmd.c +++ b/cmd.c @@ -303,6 +303,8 @@ cmd_unpack_argv(char *buf, size_t len, int argc, char ***argv) if (argc == 0) return (0); + if (argc < 0 || argc > 1000) + return (-1); *argv = xcalloc(argc, sizeof **argv); buf[len - 1] = '\0'; diff --git a/format-draw.c b/format-draw.c index c8cb74b6..03fad05f 100644 --- a/format-draw.c +++ b/format-draw.c @@ -1116,7 +1116,7 @@ format_width(const char *expanded) /* * Trim on the left, taking #[] into account. Note, we copy the whole set of * unescaped #s, but only add their escaped size to width. This is because the - * format_draw function will actually do the escaping when it runs + * format_draw function will actually do the escaping. */ char * format_trim_left(const char *expanded, u_int limit) diff --git a/format.c b/format.c index bab58247..3b58bde3 100644 --- a/format.c +++ b/format.c @@ -4207,6 +4207,8 @@ format_build_modifiers(struct format_expand_state *es, const char **s, /* Skip any separator character. */ if (*cp == ';') cp++; + if (*cp == '\0') + break; /* Check single character modifiers with no arguments. */ if (strchr("labcdnwETSWPL!<>", cp[0]) != NULL && @@ -4767,7 +4769,7 @@ format_replace_expression(struct format_modifier *mexp, /* The third argument may be precision. */ if (argc >= 3) { - prec = strtonum(mexp->argv[2], INT_MIN, INT_MAX, &errstr); + prec = strtonum(mexp->argv[2], INT_MIN + 1, INT_MAX, &errstr); if (errstr != NULL) { format_log(es, "expression precision %s: %s", errstr, mexp->argv[2]); @@ -4912,8 +4914,8 @@ format_replace(struct format_expand_state *es, const char *key, size_t keylen, case '=': if (fm->argc < 1) break; - limit = strtonum(fm->argv[0], INT_MIN, INT_MAX, - &errstr); + limit = strtonum(fm->argv[0], INT_MIN + 1, + INT_MAX, &errstr); if (errstr != NULL) limit = 0; if (fm->argc >= 2 && fm->argv[1] != NULL) @@ -4922,8 +4924,8 @@ format_replace(struct format_expand_state *es, const char *key, size_t keylen, case 'p': if (fm->argc < 1) break; - width = strtonum(fm->argv[0], INT_MIN, INT_MAX, - &errstr); + width = strtonum(fm->argv[0], INT_MIN + 1, + INT_MAX, &errstr); if (errstr != NULL) width = 0; break; @@ -5341,6 +5343,7 @@ done: if (marker != NULL && strcmp(new, value) != 0) { free(value); xasprintf(&value, "%s%s", new, marker); + free(new); } else { free(value); value = new; @@ -5351,6 +5354,7 @@ done: if (marker != NULL && strcmp(new, value) != 0) { free(value); xasprintf(&value, "%s%s", marker, new); + free(new); } else { free(value); value = new; @@ -5463,7 +5467,7 @@ format_expand1(struct format_expand_state *es, const char *fmt) buf[off++] = *fmt++; continue; } - if (*fmt++ == '\0') + if (*++fmt == '\0') break; ch = (u_char)*fmt++; diff --git a/regsub.c b/regsub.c index 61a9c324..91be3994 100644 --- a/regsub.c +++ b/regsub.c @@ -68,6 +68,8 @@ regsub(const char *pattern, const char *with, const char *text, int flags) if (*text == '\0') return (xstrdup("")); + if (*pattern == '\0') + return (xstrdup(text)); if (regcomp(&r, pattern, flags) != 0) return (NULL); diff --git a/sort.c b/sort.c index 1b18d370..8a8f7028 100644 --- a/sort.c +++ b/sort.c @@ -505,6 +505,7 @@ sort_get_panes_session(struct session *s, u_int *n, i = 0; RB_FOREACH(wl, winlinks, &s->windows) { + w = wl->window; TAILQ_FOREACH(wp, &w->panes, entry) { if (lsz <= i) { lsz += 100; diff --git a/window-copy.c b/window-copy.c index cc9f3e5d..16626563 100644 --- a/window-copy.c +++ b/window-copy.c @@ -3333,7 +3333,7 @@ window_copy_command(struct window_mode_entry *wme, struct client *c, enum window_copy_cmd_clear clear = WINDOW_COPY_CMD_CLEAR_NEVER; const char *command; u_int i, count = args_count(args); - int keys; + int keys, flags; char *error = NULL; if (count == 0) @@ -3355,9 +3355,10 @@ window_copy_command(struct window_mode_entry *wme, struct client *c, action = WINDOW_COPY_CMD_NOTHING; for (i = 0; i < nitems(window_copy_cmd_table); i++) { if (strcmp(window_copy_cmd_table[i].command, command) == 0) { - if (c->flags & CLIENT_READONLY && - (~window_copy_cmd_table[i].flags & - WINDOW_COPY_CMD_FLAG_READONLY)) { + flags = window_copy_cmd_table[i].flags; + if (c != NULL && + c->flags & CLIENT_READONLY && + (~flags & WINDOW_COPY_CMD_FLAG_READONLY)) { status_message_set(c, -1, 1, 0, 0, "client is read-only"); return;