circlecloud/tmux
1
0
Fork 0
mirror of https://github.com/tmux/tmux.git synced 2025-09-02 05:21:10 +00:00
Code Issues Projects Releases Wiki Activity

Don't blindly increase offsets by the return value of snprintf, if there

Browse Source 
wasn't enough space this will go off the end. Instead clamp to the
available space. Fixes crash reported by Julien Rebetez.
This commit is contained in:
nicm
2014-04-11 19:35:54 +00:00
parent 73c5a487c1
commit b8bda67f30
3 changed files with 24 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
window-copy.c
View File

@ -1194,8 +1194,8 @@ window_copy_write_line(
screen_write_puts(ctx, &gc, "%s", hdr);
} else if (py == last && data->inputtype != WINDOW_COPY_OFF) {
limit = sizeof hdr;
if (limit > screen_size_x(s))
limit = screen_size_x(s);
if (limit > screen_size_x(s) + 1)
limit = screen_size_x(s) + 1;
if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) {
xoff = size = xsnprintf(hdr, limit,
"Repeat: %u", data->numprefix);
@ -1208,10 +1208,12 @@ window_copy_write_line(
} else
size = 0;
screen_write_cursormove(ctx, xoff, py);
screen_write_copy(ctx, data->backing, xoff,
(screen_hsize(data->backing) - data->oy) + py,
screen_size_x(s) - size, 1);
if (size < screen_size_x(s)) {
screen_write_cursormove(ctx, xoff, py);
screen_write_copy(ctx, data->backing, xoff,
(screen_hsize(data->backing) - data->oy) + py,
screen_size_x(s) - size, 1);
}
if (py == data->cy && data->cx == screen_size_x(s)) {
memcpy(&gc, &grid_default_cell, sizeof gc);