circlecloud/tmux
1
0
Fork 0
mirror of https://github.com/tmux/tmux.git synced 2025-01-15 05:09:04 +00:00
Code Issues Projects Releases Wiki Activity

Don't blindly increase offsets by the return value of snprintf, if there

Browse Source 
wasn't enough space this will go off the end. Instead clamp to the
available space. Fixes crash reported by Julien Rebetez.
This commit is contained in:
nicm 2014-04-11 19:35:54 +00:00
parent 73c5a487c1
commit b8bda67f30
3 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
arguments.c
View File

@ -125,7 +125,7 @@ args_free(struct args *args)
size_t size_t
args_print(struct args *args, char *buf, size_t len) args_print(struct args *args, char *buf, size_t len)
{ {
size_t off; size_t off, used;
int i; int i;
const char *quotes; const char *quotes;
struct args_entry *entry; struct args_entry *entry;
@ -165,9 +165,12 @@ args_print(struct args *args, char *buf, size_t len)
quotes = "\""; quotes = "\"";
else else
quotes = ""; quotes = "";
off += xsnprintf(buf + off, len - off, "%s-%c %s%s%s", used = xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
off != 0 ? " " : "", entry->flag, quotes, entry->value, off != 0 ? " " : "", entry->flag, quotes, entry->value,
quotes); quotes);
if (used > len - off)
used = len - off;
off += used;
} }
/* And finally the argument vector. */ /* And finally the argument vector. */
@ -181,8 +184,11 @@ args_print(struct args *args, char *buf, size_t len)
quotes = "\""; quotes = "\"";
else else
quotes = ""; quotes = "";
off += xsnprintf(buf + off, len - off, "%s%s%s%s", used = xsnprintf(buf + off, len - off, "%s%s%s%s",
off != 0 ? " " : "", quotes, args->argv[i], quotes); off != 0 ? " " : "", quotes, args->argv[i], quotes);
if (used > len - off)
used = len - off;
off += used;
} }
return (off); return (off);

10
cmd-list.c
View File

@ -103,7 +103,7 @@ size_t
cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len) cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
{ {
struct cmd *cmd; struct cmd *cmd;
size_t off; size_t off, used;
off = 0; off = 0;
TAILQ_FOREACH(cmd, &cmdlist->list, qentry) { TAILQ_FOREACH(cmd, &cmdlist->list, qentry) {
@ -112,8 +112,12 @@ cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
off += cmd_print(cmd, buf + off, len - off); off += cmd_print(cmd, buf + off, len - off);
if (off >= len) if (off >= len)
break; break;
if (TAILQ_NEXT(cmd, qentry) != NULL) if (TAILQ_NEXT(cmd, qentry) != NULL) {
off += xsnprintf(buf + off, len - off, " ; "); used = xsnprintf(buf + off, len - off, " ; ");
if (used > len - off)
used = len - off;
off += used;
}
} }
return (off); return (off);
} }

6
window-copy.c
View File

@ -1194,8 +1194,8 @@ window_copy_write_line(
screen_write_puts(ctx, &gc, "%s", hdr); screen_write_puts(ctx, &gc, "%s", hdr);
} else if (py == last && data->inputtype != WINDOW_COPY_OFF) { } else if (py == last && data->inputtype != WINDOW_COPY_OFF) {
limit = sizeof hdr; limit = sizeof hdr;
if (limit > screen_size_x(s)) if (limit > screen_size_x(s) + 1)
limit = screen_size_x(s); limit = screen_size_x(s) + 1;
if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) { if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) {
xoff = size = xsnprintf(hdr, limit, xoff = size = xsnprintf(hdr, limit,
"Repeat: %u", data->numprefix); "Repeat: %u", data->numprefix);
@ -1208,10 +1208,12 @@ window_copy_write_line(
} else } else
size = 0; size = 0;
if (size < screen_size_x(s)) {
screen_write_cursormove(ctx, xoff, py); screen_write_cursormove(ctx, xoff, py);
screen_write_copy(ctx, data->backing, xoff, screen_write_copy(ctx, data->backing, xoff,
(screen_hsize(data->backing) - data->oy) + py, (screen_hsize(data->backing) - data->oy) + py,
screen_size_x(s) - size, 1); screen_size_x(s) - size, 1);
}
if (py == data->cy && data->cx == screen_size_x(s)) { if (py == data->cy && data->cx == screen_size_x(s)) {
memcpy(&gc, &grid_default_cell, sizeof gc); memcpy(&gc, &grid_default_cell, sizeof gc);