From: Qualys Security Advisory Date: Thu, 1 Jan 1970 00:00:00 +0000 (+0000) Subject: ps/output.c: Harden forest_helper(). X-Git-Tag: v3.3.15~89 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d31f5eb5455171dc5464bed2ceda675eaa7ac1d8;p=procps-ng ps/output.c: Harden forest_helper(). This patch solves several problems: 1/ Limit the number of characters written (to outbuf) to OUTBUF_SIZE-1 (-1 for the null-terminator). 2/ Always null-terminate outbuf at q. 3/ Move the "rightward" checks *before* the strcpy() calls. 4/ Avoid an integer overflow in these checks (e.g., rightward-4). --- diff --git a/ps/output.c b/ps/output.c index 8c4c201c..0c63bb66 100644 --- a/ps/output.c +++ b/ps/output.c @@ -339,11 +339,13 @@ STIME stime hms or md time format static int forest_helper(char *restrict const outbuf){ char *p = forest_prefix; char *q = outbuf; - int rightward=max_rightward; + int rightward = max_rightward < OUTBUF_SIZE ? max_rightward : OUTBUF_SIZE-1; + *q = '\0'; if(!*p) return 0; /* Arrrgh! somebody defined unix as 1 */ if(forest_type == 'u') goto unixy; while(*p){ + if (rightward < 4) break; switch(*p){ case ' ': strcpy(q, " "); break; case 'L': strcpy(q, " \\_ "); break; @@ -351,10 +353,6 @@ static int forest_helper(char *restrict const outbuf){ case '|': strcpy(q, " | "); break; case '\0': return q-outbuf; /* redundant & not used */ } - if (rightward-4 < 0) { - *(q+rightward)='\0'; - return max_rightward; - } q += 4; rightward -= 4; p++; @@ -362,6 +360,7 @@ static int forest_helper(char *restrict const outbuf){ return q-outbuf; /* gcc likes this here */ unixy: while(*p){ + if (rightward < 2) break; switch(*p){ case ' ': strcpy(q, " "); break; case 'L': strcpy(q, " "); break; @@ -369,10 +368,6 @@ unixy: case '|': strcpy(q, " "); break; case '\0': return q-outbuf; /* redundant & not used */ } - if (rightward-2 < 0) { - *(q+rightward)='\0'; - return max_rightward; - } q += 2; rightward -= 2; p++;