ps/output.c: Harden forest_helper().

This patch solves several problems:

1/ Limit the number of characters written (to outbuf) to OUTBUF_SIZE-1
(-1 for the null-terminator).

2/ Always null-terminate outbuf at q.

3/ Move the "rightward" checks *before* the strcpy() calls.

4/ Avoid an integer overflow in these checks (e.g., rightward-4).

diff --git a/ps/output.c b/ps/output.c
index 8c4c201c95f36593b034522e6915243d6566ddea..0c63bb664a56e544542747f367eec1b9b85618e0 100644 (file)
--- a/ps/output.c
+++ b/ps/output.c
@@ -339,11 +339,13 @@ STIME     stime   hms or md time format
 static int forest_helper(char *restrict const outbuf){
   char *p = forest_prefix;
   char *q = outbuf;
-  int rightward=max_rightward;
+  int rightward = max_rightward < OUTBUF_SIZE ? max_rightward : OUTBUF_SIZE-1;
+  *q = '\0';
   if(!*p) return 0;
   /* Arrrgh! somebody defined unix as 1 */
   if(forest_type == 'u') goto unixy;
   while(*p){
+    if (rightward < 4) break;
     switch(*p){
     case ' ': strcpy(q, "    ");  break;
     case 'L': strcpy(q, " \\_ "); break;
@@ -351,10 +353,6 @@ static int forest_helper(char *restrict const outbuf){
     case '|': strcpy(q, " |  ");  break;
     case '\0': return q-outbuf;    /* redundant & not used */
     }
-    if (rightward-4 < 0) {
-      *(q+rightward)='\0';
-      return max_rightward;
-    }
     q += 4;
     rightward -= 4;
     p++;
@@ -362,6 +360,7 @@ static int forest_helper(char *restrict const outbuf){
   return q-outbuf;   /* gcc likes this here */
 unixy:
   while(*p){
+    if (rightward < 2) break;
     switch(*p){
     case ' ': strcpy(q, "  "); break;
     case 'L': strcpy(q, "  "); break;
@@ -369,10 +368,6 @@ unixy:
     case '|': strcpy(q, "  "); break;
     case '\0': return q-outbuf;    /* redundant & not used */
     }
-    if (rightward-2 < 0) {
-      *(q+rightward)='\0';
-      return max_rightward;
-    }
     q += 2;
     rightward -= 2;
     p++;