From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000)
Subject: 0098-top: Check i when setting Curwin in config_file().
X-Git-Tag: v4.0.0~580
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0b0356de5c84cc8ab22306896665344dc4afe316;p=procps-ng

0098-top: Check i when setting Curwin in config_file().

Otherwise it leads to out-of-bounds reads (and maybe writes).
---

diff --git a/top/top.c b/top/top.c
index e13feb62..cf4c0744 100644
--- a/top/top.c
+++ b/top/top.c
@@ -3225,6 +3225,8 @@ static const char *config_file (FILE *fp, const char *name, float *delay) {
    if (Rc.id < 'a' || Rc.id > RCF_VERSION_ID)
       return p;
    // you saw that, right?  (fscanf stickin' it to 'i')
+   if (i < 0 || i >= GROUPSMAX)
+      return p;
    Curwin = &Winstk[i];
    // this may be ugly, but it keeps us locale independent...
    *delay = (float)tmp_whole + (float)tmp_fract / 1000;