From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000) Subject: proc/escape.c: Prevent buffer overflows in escape_command(). X-Git-Tag: v3.3.15~91 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7efa1022483d205bcfb392d810b05684ae21055d;p=procps-ng proc/escape.c: Prevent buffer overflows in escape_command(). This solves several problems: 1/ outbuf[1] was written to, but not outbuf[0], which was left uninitialized (well, SECURE_ESCAPE_ARGS() already fixes this, but do it explicitly as well); we know it is safe to write one byte to outbuf, because SECURE_ESCAPE_ARGS() guarantees it. 2/ If bytes was 1, the write to outbuf[1] was an off-by-one overflow. 3/ Do not call escape_str() with a 0 bufsize if bytes == overhead. 4/ Prevent various buffer overflows if bytes <= overhead. --- diff --git a/proc/escape.c b/proc/escape.c index 827337fe..82cd6821 100644 --- a/proc/escape.c +++ b/proc/escape.c @@ -217,11 +217,10 @@ int escape_command(char *restrict const outbuf, const proc_t *restrict const pp, if(pp->state=='Z') overhead += 10; // chars in " " else flags &= ~ESC_DEFUNCT; } - if(overhead + 1 >= *cells){ // if no room for even one byte of the command name - // you'd damn well better have _some_ space -// outbuf[0] = '-'; // Oct23 - outbuf[1] = '\0'; - return 1; + if(overhead + 1 >= *cells || // if no room for even one byte of the command name + overhead + 1 >= bytes){ + outbuf[0] = '\0'; + return 0; } if(flags & ESC_BRACKETS){ outbuf[end++] = '[';