0048-ps/output.c: Make sure all escape*() arguments are safe.

The SECURE_ESCAPE_ARGS() macro solves several potential problems
(although we found no problematic calls to the escape*() functions in
procps's code-base, but had to thoroughly review every call; and this is
library code):

1/ off-by-one overflows if the size of the destination buffer is 0;

2/ buffer overflows if this size (or "maxroom") is negative;

3/ integer overflows (for example, "*maxcells+1");

4/ always null-terminate the destination buffer (unless its size is 0).

---------------------------- adapted for newlib branch
. formerly applied to proc/escape.c
. function was moved to ps/output.c

Signed-off-by: Jim Warner <james.warner@comcast.net>

diff --git a/ps/output.c b/ps/output.c
index c0f59068abfe890d3d15958b42176b09e5268b1d..a75e234cdd5ce8e911f464b13e754294e19f586a 100644 (file)
--- a/ps/output.c
+++ b/ps/output.c
@@ -110,9 +110,19 @@ static void get_memory_total()
     procps_meminfo_unref(&mem_info);
 }
 
+#define SECURE_ESCAPE_ARGS(dst, bytes, cells) do { \
+  if ((bytes) <= 0) return 0; \
+  *(dst) = '\0'; \
+  if ((bytes) >= INT_MAX) return 0; \
+  if ((cells) >= INT_MAX) return 0; \
+  if ((cells) <= 0) return 0; \
+} while (0)
+
 // copy an already 'escaped' string,
 static int escaped_copy(char *restrict dst, const char *restrict src, int bufsize, int *maxroom){
     int n;
+
+    SECURE_ESCAPE_ARGS(dst, bufsize, *maxroom);
     if (bufsize > *maxroom+1)
         bufsize = *maxroom+1;
     n = snprintf(dst, bufsize, "%s", src);