From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000) Subject: top: Check width and col. X-Git-Tag: v3.3.15~41 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=bbe58d7e0af4b0c089a15da203b283421dc8a3d4;p=procps-ng top: Check width and col. Otherwise they may lead to out-of-bounds writes (snprintf() returns the number of characters which would have been written if enough space had been available). Also, make sure buf is null-terminated after COLPLUSCH has been written. --- diff --git a/top/top.c b/top/top.c index d58376a6..d656314a 100644 --- a/top/top.c +++ b/top/top.c @@ -203,7 +203,7 @@ static int *PHash_sav = HHash_one, // alternating 'old/new' hash tables static int Autox_array [EU_MAXPFLGS], Autox_found; #define AUTOX_NO EU_MAXPFLGS -#define AUTOX_COL(f) if (EU_MAXPFLGS > f) Autox_array[f] = Autox_found = 1 +#define AUTOX_COL(f) if (EU_MAXPFLGS > f && f >= 0) Autox_array[f] = Autox_found = 1 #define AUTOX_MODE (0 > Rc.fixed_widest) /* Support for scale_mem and scale_num (to avoid duplication. */ @@ -1643,7 +1643,10 @@ static inline const char *make_num (long num, int width, int justr, int col, int goto end_justifies; if (width < snprintf(buf, sizeof(buf), "%ld", num)) { + if (width <= 0 || (size_t)width >= sizeof(buf)) + width = sizeof(buf)-1; buf[width-1] = COLPLUSCH; + buf[width] = '\0'; AUTOX_COL(col); } end_justifies: @@ -1658,7 +1661,10 @@ static inline const char *make_str (const char *str, int width, int justr, int c static char buf[SCREENMAX]; if (width < snprintf(buf, sizeof(buf), "%s", str)) { + if (width <= 0 || (size_t)width >= sizeof(buf)) + width = sizeof(buf)-1; buf[width-1] = COLPLUSCH; + buf[width] = '\0'; AUTOX_COL(col); } return justify_pad(buf, width, justr);