top: Prevent buffer overflow in calibrate_fields().

pflgsall[] can contain PFLAGSSIZ = 100 elements, each iteration of the
loop can write 3 elements to pflgsall[], and there are EU_MAXPFLGS = 58
iterations: a buffer overflow (it can be triggered via the configuration
file, for example, by filling "fieldscur" with the "sortindx" flag).

diff --git a/top/top.c b/top/top.c
index 196df32e2040b7af8e0fdf930ce123ced71c8183..ea4d1a4b0ca34928157eaa551bbb66764ca2bc5d 100644 (file)
--- a/top/top.c
+++ b/top/top.c
@@ -2143,12 +2143,13 @@ static void calibrate_fields (void) {
          w->hdrcaplen = 0;   // really only used with USE_X_COLHDR
          // build window's pflgsall array, establish upper bounds for maxpflgs
          for (i = 0, w->totpflgs = 0; i < EU_MAXPFLGS; i++) {
-            if (FLDviz(w, i)) {
+            if (FLDviz(w, i) && w->totpflgs < PFLAGSSIZ) {
                f = FLDget(w, i);
 #ifdef USE_X_COLHDR
                w->pflgsall[w->totpflgs++] = f;
 #else
-               if (CHKw(w, Show_HICOLS) && f == w->rc.sortindx) {
+               if (CHKw(w, Show_HICOLS) && f == w->rc.sortindx &&
+                  w->totpflgs <= PFLAGSSIZ - 3) {
                   w->pflgsall[w->totpflgs++] = EU_XON;
                   w->pflgsall[w->totpflgs++] = f;
                   w->pflgsall[w->totpflgs++] = EU_XOF;