mirror of
https://github.com/tmux/tmux.git
synced 2025-01-21 14:00:52 +00:00
Don't blindly increase offsets by the return value of snprintf, if there
wasn't enough space this will go off the end. Instead clamp to the available space. Fixes crash reported by Julien Rebetez.
This commit is contained in:
parent
73c5a487c1
commit
b8bda67f30
12
arguments.c
12
arguments.c
@ -125,7 +125,7 @@ args_free(struct args *args)
|
|||||||
size_t
|
size_t
|
||||||
args_print(struct args *args, char *buf, size_t len)
|
args_print(struct args *args, char *buf, size_t len)
|
||||||
{
|
{
|
||||||
size_t off;
|
size_t off, used;
|
||||||
int i;
|
int i;
|
||||||
const char *quotes;
|
const char *quotes;
|
||||||
struct args_entry *entry;
|
struct args_entry *entry;
|
||||||
@ -165,9 +165,12 @@ args_print(struct args *args, char *buf, size_t len)
|
|||||||
quotes = "\"";
|
quotes = "\"";
|
||||||
else
|
else
|
||||||
quotes = "";
|
quotes = "";
|
||||||
off += xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
|
used = xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
|
||||||
off != 0 ? " " : "", entry->flag, quotes, entry->value,
|
off != 0 ? " " : "", entry->flag, quotes, entry->value,
|
||||||
quotes);
|
quotes);
|
||||||
|
if (used > len - off)
|
||||||
|
used = len - off;
|
||||||
|
off += used;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* And finally the argument vector. */
|
/* And finally the argument vector. */
|
||||||
@ -181,8 +184,11 @@ args_print(struct args *args, char *buf, size_t len)
|
|||||||
quotes = "\"";
|
quotes = "\"";
|
||||||
else
|
else
|
||||||
quotes = "";
|
quotes = "";
|
||||||
off += xsnprintf(buf + off, len - off, "%s%s%s%s",
|
used = xsnprintf(buf + off, len - off, "%s%s%s%s",
|
||||||
off != 0 ? " " : "", quotes, args->argv[i], quotes);
|
off != 0 ? " " : "", quotes, args->argv[i], quotes);
|
||||||
|
if (used > len - off)
|
||||||
|
used = len - off;
|
||||||
|
off += used;
|
||||||
}
|
}
|
||||||
|
|
||||||
return (off);
|
return (off);
|
||||||
|
10
cmd-list.c
10
cmd-list.c
@ -103,7 +103,7 @@ size_t
|
|||||||
cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
|
cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
|
||||||
{
|
{
|
||||||
struct cmd *cmd;
|
struct cmd *cmd;
|
||||||
size_t off;
|
size_t off, used;
|
||||||
|
|
||||||
off = 0;
|
off = 0;
|
||||||
TAILQ_FOREACH(cmd, &cmdlist->list, qentry) {
|
TAILQ_FOREACH(cmd, &cmdlist->list, qentry) {
|
||||||
@ -112,8 +112,12 @@ cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
|
|||||||
off += cmd_print(cmd, buf + off, len - off);
|
off += cmd_print(cmd, buf + off, len - off);
|
||||||
if (off >= len)
|
if (off >= len)
|
||||||
break;
|
break;
|
||||||
if (TAILQ_NEXT(cmd, qentry) != NULL)
|
if (TAILQ_NEXT(cmd, qentry) != NULL) {
|
||||||
off += xsnprintf(buf + off, len - off, " ; ");
|
used = xsnprintf(buf + off, len - off, " ; ");
|
||||||
|
if (used > len - off)
|
||||||
|
used = len - off;
|
||||||
|
off += used;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return (off);
|
return (off);
|
||||||
}
|
}
|
||||||
|
@ -1194,8 +1194,8 @@ window_copy_write_line(
|
|||||||
screen_write_puts(ctx, &gc, "%s", hdr);
|
screen_write_puts(ctx, &gc, "%s", hdr);
|
||||||
} else if (py == last && data->inputtype != WINDOW_COPY_OFF) {
|
} else if (py == last && data->inputtype != WINDOW_COPY_OFF) {
|
||||||
limit = sizeof hdr;
|
limit = sizeof hdr;
|
||||||
if (limit > screen_size_x(s))
|
if (limit > screen_size_x(s) + 1)
|
||||||
limit = screen_size_x(s);
|
limit = screen_size_x(s) + 1;
|
||||||
if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) {
|
if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) {
|
||||||
xoff = size = xsnprintf(hdr, limit,
|
xoff = size = xsnprintf(hdr, limit,
|
||||||
"Repeat: %u", data->numprefix);
|
"Repeat: %u", data->numprefix);
|
||||||
@ -1208,10 +1208,12 @@ window_copy_write_line(
|
|||||||
} else
|
} else
|
||||||
size = 0;
|
size = 0;
|
||||||
|
|
||||||
|
if (size < screen_size_x(s)) {
|
||||||
screen_write_cursormove(ctx, xoff, py);
|
screen_write_cursormove(ctx, xoff, py);
|
||||||
screen_write_copy(ctx, data->backing, xoff,
|
screen_write_copy(ctx, data->backing, xoff,
|
||||||
(screen_hsize(data->backing) - data->oy) + py,
|
(screen_hsize(data->backing) - data->oy) + py,
|
||||||
screen_size_x(s) - size, 1);
|
screen_size_x(s) - size, 1);
|
||||||
|
}
|
||||||
|
|
||||||
if (py == data->cy && data->cx == screen_size_x(s)) {
|
if (py == data->cy && data->cx == screen_size_x(s)) {
|
||||||
memcpy(&gc, &grid_default_cell, sizeof gc);
|
memcpy(&gc, &grid_default_cell, sizeof gc);
|
||||||
|
Loading…
Reference in New Issue
Block a user