From: Qualys Security Advisory <qsa@qualys.com>
Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000)
Subject: ps/sortformat.c: Catch negative width in format_parse().
X-Git-Tag: v3.3.15~77
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cde22815af8611620eaa1e55acaadb793202b8b9;p=procps-ng

ps/sortformat.c: Catch negative width in format_parse().

The existing strspn() check guarantees that the string contains no '-'
but atoi() does not catch errors, especially not integer overflows.
---

diff --git a/ps/sortformat.c b/ps/sortformat.c
index 1594da62..81b737ce 100644
--- a/ps/sortformat.c
+++ b/ps/sortformat.c
@@ -271,7 +271,7 @@ static const char *format_parse(sf_node *sfn){
     if(colon_loc){   /* if width override */
       *colon_loc = '\0';
       colon_loc++;
-      if(strspn(colon_loc,"0123456789") != strlen(colon_loc) || *colon_loc=='0' || !*colon_loc){
+      if(strspn(colon_loc,"0123456789") != strlen(colon_loc) || *colon_loc=='0' || !*colon_loc || atoi(colon_loc) <= 0){
         free(buf);
         goto badwidth;
       }
@@ -296,6 +296,7 @@ static const char *format_parse(sf_node *sfn){
       }
       // FIXME: enforce signal width to 8, 9, or 16 (grep: SIGNAL wide_signals)
       fnode->width = atoi(colon_loc); // already verified to be a number
+      if(fnode->width <= 0) catastrophic_failure(__FILE__, __LINE__, _("please report this bug"));
     }
     endp = fnode; while(endp->next) endp = endp->next;  /* find end */
     endp->next = sfn->f_cooked;