proc/escape.c: Prevent buffer overflows in escape_command().

This solves several problems:

1/ outbuf[1] was written to, but not outbuf[0], which was left
uninitialized (well, SECURE_ESCAPE_ARGS() already fixes this, but do it
explicitly as well); we know it is safe to write one byte to outbuf,
because SECURE_ESCAPE_ARGS() guarantees it.

2/ If bytes was 1, the write to outbuf[1] was an off-by-one overflow.

3/ Do not call escape_str() with a 0 bufsize if bytes == overhead.

4/ Prevent various buffer overflows if bytes <= overhead.

diff --git a/proc/escape.c b/proc/escape.c
index 827337fec5df371e98db8395283c4db3d177e1c0..82cd68210b73133ccf94db0bc7926403671d443d 100644 (file)
--- a/proc/escape.c
+++ b/proc/escape.c
@@ -217,11 +217,10 @@ int escape_command(char *restrict const outbuf, const proc_t *restrict const pp,
     if(pp->state=='Z') overhead += 10;    // chars in " <defunct>"
     else flags &= ~ESC_DEFUNCT;
   }
-  if(overhead + 1 >= *cells){  // if no room for even one byte of the command name
-    // you'd damn well better have _some_ space
-//    outbuf[0] = '-';  // Oct23
-    outbuf[1] = '\0';
-    return 1;
+  if(overhead + 1 >= *cells || // if no room for even one byte of the command name
+     overhead + 1 >= bytes){
+    outbuf[0] = '\0';
+    return 0;
   }
   if(flags & ESC_BRACKETS){
     outbuf[end++] = '[';