]> granicus.if.org Git - procps-ng/log
procps-ng
6 years agotop: a few tweaks for those scrolling (mostly) changes
Jim Warner [Thu, 21 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: a few tweaks for those scrolling (mostly) changes

This patch just addresses some edge cases with respect
to 'unseen' tasks. Given the ability to preserve other
filters in the rcfile, it's entirely possible the very
first task(s) may not be visible at top startup. Also,
when switching between windows ('a'/'w') we should try
to always position its row #1 on some visible process.

Lastly, a window might have *NO* visible tasks at all.
Therefore, protect 'window_hlp' from an infinite loop.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: normalize vertical scrolling for hidden processes
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: normalize vertical scrolling for hidden processes

To my knowledge, nobody has ever complained about some
anomalies when scrolling vertically if tasks should be
hidden from view. This can happen with the user filter
('u/U') or other filter ('o/O') features. And although
some tasks are not shown, they still impact scrolling.

This is most apparent when that scroll coordinates msg
is on ('C') & up/down arrow keys used (vs. pgup/pgdn).

Now that we can collapse/expand forked children, there
is a potential for yet more of those hidden processes.

So this commit normalizes vertical scrolling providing
an expected behavior. In other words, the up/down keys
skip the unseen tasks to reposition on a visible task.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: refactor the 'scroll coordinates' message support
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: refactor the 'scroll coordinates' message support

This patch is simply preparation for upcoming vertical
scrolling enhancements. With those changes, it will be
impossible to predict what the beginning task position
should be at the time the message is currently issued.

This patch will allow such a message to be shown after
the individual windows' tasks have all been displayed.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: allow collapsible forest view children, documents
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: allow collapsible forest view children, documents

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: allow collapsible forest view children, pgm logic
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: allow collapsible forest view children, pgm logic

The issue cited below really dealt with preserving the
'Other filter' criteria in the rcfile. But as an aside
the htop 'F6' feature (collapsed children) was raised.

I took that as an implied challenge and decided to try
implementing a similar feature in top. So, this commit
will now provide a brand new forest view toggle ('^V')
which will be used to collapse/expand forked children.

[ this patch will also lead to additional patches in ]
[ support of more rational vertical scrolling, since ]
[ many more tasks might now be hidden in some window ]

Reference(s):
. where this secondary issue was raised
https://gitlab.com/procps-ng/procps/issues/99

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: to prepare for collapse, move forest view support
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: to prepare for collapse, move forest view support

In anticipation of a new collapsible child feature, we
will have to make some forest view variables available
to that 'keys_task()' function. This commit just moves
the forest view logic ahead of tertiary input support.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: 'other filters' saved with config file, documents
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: 'other filters' saved with config file, documents

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: 'other filters' saved with config file, pgm logic
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: 'other filters' saved with config file, pgm logic

Well, after the rearranging and refactoring, all those
active 'other filter' entries for each window will now
be preserved in the user's configuration file via 'W'.

For raising the issue below, thanks to Marco Ippolito.

Reference(s):
https://gitlab.com/procps-ng/procps/issues/99

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: refactored some more peripheral 'inspect' support
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: refactored some more peripheral 'inspect' support

These modifications are being made now in anticipation
of some coming 'other filter' config file changes. Our
entries must be written last to the rc file since that
is where the users have been told to 'echo' additions.

Therefore, that 'config_insp' function must be adapted
to anticipate a passed buffer that was already primed.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: refactored some of that 'other filtering' support
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: refactored some of that 'other filtering' support

If we are to support preserving 'other filter' entries
in the rcfile, then the current logic setting up those
osel entries for a WIN_t must be shareable for startup
and when interacting with a user. So, this commit just
repositions this current code in a shareable function.

[ along the way, we give the prior guy a proper name ]

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: reposition some of that 'other filtering' support
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: reposition some of that 'other filtering' support

When we get around to saving that 'Other Filter' stuff
in the rcfile, we'll need access to the Fieldstab plus
the justify_pad() function. So this commit repositions
two 'osel' functions in anticipation of adding 1 more.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: refactor some of that configuration files support
Jim Warner [Wed, 20 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: refactor some of that configuration files support

The 'config_file()' function was getting a little long
in the tooth, so this commit simply renames/rearranges
some stuff anticipating 'other filters' in the rcfile.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: let's honor <Esc> key on color mapping screen too
Jim Warner [Tue, 19 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: let's honor <Esc> key on color mapping screen too

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: make rcfile duplicate fields check more efficient
Jim Warner [Tue, 19 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: make rcfile duplicate fields check more efficient

Jeeze, there was no need to employ *both* strchr() and
strrchr() when ensuring fields hadn't been duplicated.

So let's avoid one of those function calls completely.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0125-vmstat: Prevent out-of-bounds writes in new_header() and diskheader().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0125-vmstat: Prevent out-of-bounds writes in new_header() and diskheader().

This does not happen with the default string (" -----timestamp-----"),
but this string is translated (to unknown lengths).

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0124-vmstat: Check return values of localtime() and strftime().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0124-vmstat: Check return values of localtime() and strftime().

Otherwise it leads to NULL-pointer dereferences (in case of localtime()
errors) and indeterminate contents of timebuf (in case of strftime()
errors).

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0123-vmstat: Replace memcmp() with strncmp().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0123-vmstat: Replace memcmp() with strncmp().

Otherwise this may read out-of-bounds (there is no guarantee that 5
bytes are actually available at partition/optarg).

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0122-vmstat: getopt*() returns -1 when done, not EOF.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0122-vmstat: getopt*() returns -1 when done, not EOF.

Luckily, EOF is usually -1, but this is not guaranteed by the standard.

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0121-w: Clamp maxcmd to the MIN/MAX_CMD_WIDTH range.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0121-w: Clamp maxcmd to the MIN/MAX_CMD_WIDTH range.

The current checks allow out-of-range values (for example, if
getenv/atoi returns ~-2GB, maxcmd becomes ~+2GB after the subtraction).
This is not a security problem, none of this is under an attacker's
control.

6 years ago0120-w: Prevent out-of-bounds reads in print_display_or_interface().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0120-w: Prevent out-of-bounds reads in print_display_or_interface().

They occur if disp or tmp reaches host + len: add checks. Also, constify
everything.

6 years agomisc: Tell po4a to handle email macros
Craig Small [Thu, 7 Jun 2018 11:52:46 +0000 (21:52 +1000)]
misc: Tell po4a to handle email macros

References:
 https://www.freelists.org/post/procps/newlib-Qualys-patches

6 years ago0095-pmap: Fix extended mode in one_proc().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0095-pmap: Fix extended mode in one_proc().

Check the return value of sscanf() to make sure that all input items are
properly initialized.

In extended mode (x_option), one_proc() loads the values of start and
perms during one iteration of the while loop, and displays them during
one of the following iterations, but start and perms are variables local
to the while loop: move them out of the while loop, to the beginning of
the function.

Also, display a mapping only if cp2 is properly initialized; otherwise
(for example), mappings that do not belong to a selected range are
displayed, and with a NULL mapping name:

$ pmap -x -A 6FFF00000000,7FFF00000000 $$
...
Address           Kbytes     RSS   Dirty Mode  Mapping
000055b3d1e9b000       0     912       0  r-xp (null)
000055b3d2194000       0      16      16  r--p (null)
000055b3d2198000       0      36      36  rw-p (null)
...

Removed const as this causes problems elsewhere.

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0093-pmap: Remove dead code in mapping_name().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0093-pmap: Remove dead code in mapping_name().

If "cp = strrchr(mapbuf_b, '/')" then this function returns, and
otherwise there is no '/' in mapbuf_b and "cp = strchr(mapbuf_b, '/')"
is always false: remove this second block, since it is never entered.
Also, constify a few things in this function.

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0092-pmap: Harden one_proc().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0092-pmap: Harden one_proc().

Replace sprintf() with snprintf().

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0091-pmap: Check sscanf() in discover_shm_minor().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0091-pmap: Check sscanf() in discover_shm_minor().

Need at least 6 items ("inode" is unused).

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0090-pmap: Fix output format of VmFlags.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0090-pmap: Fix output format of VmFlags.

In the headers, the space was misplaced; for example, "pmap -XX $$"
outputs "VmFlagsMapping" (without a space). Use justify_print() instead
of printf().

There was also an extra space in the output, because vmflags[] (from the
"VmFlags:" line) always ends with a space. Overwriting this last space
with a null byte fixes this misalignment.

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0089-pmap: Prevent buffer overflow in sscanf().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0089-pmap: Prevent buffer overflow in sscanf().

vmflags[] is a 27*(2+1)=81 char array, but there are 30 flags now (not
27), and even with 27 flags this was an off-by-one overflow (the kernel
always outputs a flag with "%c%c ", so the last +1 is for a space, not
for the terminating null byte). Protect vmflags[] with a maximum field
width, as in the surrounding sscanf() calls.

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0088-pmap: Always check the return value of fgets().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0088-pmap: Always check the return value of fgets().

Otherwise "the contents of the array remain unchanged and a null pointer
is returned" or "the array contents are indeterminate and a null pointer
is returned".

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0087-pmap: Fix parsing error in config_read().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0087-pmap: Fix parsing error in config_read().

$ echo '[' > crash
$ pmap -C crash $$
Segmentation fault (core dumped)

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0086-pmap: Prevent integer overflow in main().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0086-pmap: Prevent integer overflow in main().

Unlikely to ever happen, but just in case.

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0085-pmap.c: Plug memory leak in range_arguments().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0085-pmap.c: Plug memory leak in range_arguments().

Also, simplify the code slightly (but functionally equivalent). Check
the return value of xstrdup() only once (yes, it can return NULL).

Adapted slightly to remove goto and leave the format of checks the same.
A lot of the fixes were already in newlib, caught by coverity

References:
 commit 25f655891f4016ff9e241f1242e995d35e6b554c

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years ago0027-skill: Prevent multiple overflows in ENLIST().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0027-skill: Prevent multiple overflows in ENLIST().

First problem: saved_argc was used to calculate the size of the array,
but saved_argc was never initialized. This triggers an immediate heap-
based buffer overflow:

$ skill -c0 -c0 -c0 -c0
Segmentation fault (core dumped)

Second problem: saved_argc was not the upper bound anyway, because one
argument can ENLIST() several times (for example, in parse_namespaces())
and overflow the array as well.

Third problem: integer overflow of the size of the array.

6 years ago0026-skill: Fix double-increment of pid_count.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0026-skill: Fix double-increment of pid_count.

No need to "pid_count++;" because "ENLIST(pid," does it already. Right
now this can trigger a heap-based buffer overflow.

Also, remove the unneeded "pid_count = 0;" (it is static, and
skillsnice_parse() is called only once; and the other *_count variables
are not initialized explicitly either).

6 years ago0024-skill: Always NULL-terminate argv.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0024-skill: Always NULL-terminate argv.

The memmove() itself does not move the NULL-terminator, because nargs is
decremented first. Copy how skill_sig_option() does it: decrement nargs
last, and remove the "if (nargs - i)" (we are in "while (i < nargs)").

6 years ago0023-skill: Fix getline() usage.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0023-skill: Fix getline() usage.

man getline: "If *lineptr is set to NULL and *n is set 0 before the
call, then getline() will allocate a buffer for storing the line. This
buffer should be freed by the user program even if getline() failed."

6 years ago0022-skill: Simplify the kill_main() loop.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0022-skill: Simplify the kill_main() loop.

Right now the "loop=0; break;" is never reached.

6 years ago0021-pwdx: Fix a misleading comment.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0021-pwdx: Fix a misleading comment.

It sounds like an off-by-one, but the code itself is correct.

6 years ago0020-pidof: Prevent integer overflows with grow_size().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0020-pidof: Prevent integer overflows with grow_size().

Note: unlike "size" and "omit_size", "path_alloc_size" is not multiplied
by "sizeof(struct el)" but the checks in grow_size() allow for a roughly
100MB path_alloc_size, which should be more than enough for readlink().

6 years ago0019-pidof: Do not memleak pidof_root if multiple -c options.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0019-pidof: Do not memleak pidof_root if multiple -c options.

6 years ago0018-pidof: Do not skip the NULL terminator in cmdline.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0018-pidof: Do not skip the NULL terminator in cmdline.

This should never happen (cmdline[0] should always be non-NULL), but
just in case.

6 years ago0017-pidof: Get the arg1 base name with get_basename().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0017-pidof: Get the arg1 base name with get_basename().

Same as program_base, cmd_arg0base, and exe_link_base.

6 years ago0015-tload: Prevent integer overflows of ncols, nrows, and scr_size.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0015-tload: Prevent integer overflows of ncols, nrows, and scr_size.

Also, use xerrx() instead of xerr() since errno is not set.

6 years ago0014-tload: Prevent a buffer overflow when row equals nrows.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0014-tload: Prevent a buffer overflow when row equals nrows.

When max_scale is very small, scale_fact is very small, row is equal to
nrows, p points outside screen, and the write to *p is out-of-bounds.

6 years ago0013-tload: Use snprintf() instead of sprintf().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0013-tload: Use snprintf() instead of sprintf().

6 years ago0012-tload: Call longjmp() 1 instead of 0.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0012-tload: Call longjmp() 1 instead of 0.

Do it explicitly instead of the implicit "longjmp() cannot cause 0 to be
returned. If longjmp() is invoked with a second argument of 0, 1 will be
returned instead."

6 years ago0011-tload: Use standard names instead of numbers.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0011-tload: Use standard names instead of numbers.

6 years ago0009-uptime: Check the return value of various functions.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0009-uptime: Check the return value of various functions.

6 years ago0007-pgrep: Always null-terminate the cmd*[] buffers.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0007-pgrep: Always null-terminate the cmd*[] buffers.

Otherwise, man strncpy: "If there is no null byte among the first n
bytes of src, the string placed in dest will not be null-terminated."

6 years ago0006-pgrep: Initialize the cmd*[] stack buffers.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0006-pgrep: Initialize the cmd*[] stack buffers.

Otherwise (for example), if the (undocumented) opt_echo is set, but not
opt_long, and not opt_longlong, and not opt_pattern, there is a call to
xstrdup(cmdoutput) but cmdoutput was never initialized:

sleep 60 & echo "$!" > pidfile
env -i LD_DEBUG=`perl -e 'print "A" x 131000'` pkill -e -c -F pidfile | xxd
...
000001c0: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
000001d0: 4141 4141 4141 4141 fcd4 e6bd e47f 206b  AAAAAAAA...... k
000001e0: 696c 6c65 6420 2870 6964 2031 3230 3931  illed (pid 12091
000001f0: 290a 310a                                ).1.
[1]+  Terminated              sleep 60

(the LD_DEBUG is just a trick to fill the initial stack with non-null
bytes, to show that there is uninitialized data from the stack in the
output; here, an address "fcd4 e6bd e47f")

6 years ago0005-pgrep: Simplify the match_*() functions.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0005-pgrep: Simplify the match_*() functions.

6 years ago0004-pgrep: Replace buf+1 with buf in read_pidfile().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0004-pgrep: Replace buf+1 with buf in read_pidfile().

Unless we missed something, this makes it unnecessarily difficult to
read/audit.

6 years ago0003-pgrep: Replace ints with longs in strict_atol().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0003-pgrep: Replace ints with longs in strict_atol().

atol() means long, and value points to a long.

6 years ago0002-pgrep: Prevent integer overflow of list size.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0002-pgrep: Prevent integer overflow of list size.

Not exploitable (not under an attacker's control), but still a potential
non-security problem. Copied, fixed, and used the grow_size() macro from
pidof.c.

Signed-off-by: Craig Small <csmall@enc.com.au>
6 years agotop: a tweak to the recent 256-color termninal support
Jim Warner [Fri, 8 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: a tweak to the recent 256-color termninal support

We now use the actual terminfo 'max_colors' value with
the 'color mapping' screen, not that hard coded '256'.

Reference(s):
https://gitlab.com/procps-ng/procps/issues/96

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: treat all of those vertical scroll keys uniformly
Jim Warner [Thu, 7 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: treat all of those vertical scroll keys uniformly

When not displaying all tasks (the 'i' toggle is off),
the concept of vertical scrolling has no real meaning.

However, only 2 keys (up/down) impacting that vertical
position were currently being disabled with this mode.

This patch will extend such treatment to the following
additional vertical impact keys: pgup,pgdn,home & end.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: force return to row 1 for thread mode transitions
Jim Warner [Thu, 7 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: force return to row 1 for thread mode transitions

This program does a good job of policing that vertical
scrolled position, ensuring that total tasks are never
exceeded. However, during transitions from thread mode
to normal task mode (the 'H' toggle) that wasn't true.

And while there was no real harm done, it did make the
use of up/down arrow keys "appear" disabled especially
if that scroll message was not displayed ('C' toggle).

This patch simply forces a return to row #1 whenever a
user toggles that display between thread & task modes.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: fix 'iokey()' flaw preventing proper translations
Jim Warner [Thu, 7 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: fix 'iokey()' flaw preventing proper translations

As it turns out, the very first entry in the 'iokey()'
tinfo_tab was preventing the proper translation of the
simulated PgUp/PgDn keys (ctrl+meta+k/j). Ignoring the
tortured history behind the most recent change to that
entry, this patch restores the previous value and once
again properly translates these particular keystrokes.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0067-ps/sortformat.c: Avoid "sep_loc + 1" when sep_loc is NULL.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0067-ps/sortformat.c: Avoid "sep_loc + 1" when sep_loc is NULL.

6 years ago0066-ps/sortformat.c: Handle large width in aix_format_parse().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0066-ps/sortformat.c: Handle large width in aix_format_parse().

Unlikely to ever happen, since it would imply a very large string, but
better safe than sorry.

---------------------------- adapted for newlib branch
. now uses 'xmalloc' vs. unchecked stdlib 'malloc'
. the member 'need' was removed from 'format_node'

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0065-ps/sortformat.c: Catch negative width in format_parse().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0065-ps/sortformat.c: Catch negative width in format_parse().

The existing strspn() check guarantees that the string contains no '-'
but atoi() does not catch errors, especially not integer overflows.

6 years ago0064-ps/sortformat.c: Double-check chars in verify_short_sort().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0064-ps/sortformat.c: Double-check chars in verify_short_sort().

To avoid an out-of-bounds access at checkoff[tmp]. The strspn() at the
beginning of the function protects against it already, but double-check
this in case of some future change.

6 years ago0062-ps/display.c: Always exit from signal_handler().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0062-ps/display.c: Always exit from signal_handler().

Right now, "we _exit() anyway" is not always true: for example, the
default action for SIGURG is to ignore the signal, which means that
"kill(getpid(), signo);" does not terminate the process. Call _exit()
explicitly, in this case (rather than exit(), because the terminating
kill() calls do not call the functions registered with atexit() either).

6 years ago0061-ps/output.c: Always null-terminate outbuf in show_one_proc().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0061-ps/output.c: Always null-terminate outbuf in show_one_proc().

Before "strlen(outbuf)", if one of the pr_*() functions forgot to do it.
This prevents an out-of-bounds read in strlen(), and an out-of-bounds
write in "outbuf[sz] = '\n'". Another solution would be to replace
strlen() with strnlen(), but this is not used anywhere else in the
code-base and may not exist in all libc's.

---------------------------- adapted for newlib branch
. adapted via 'patch' without rejections

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0060-ps/output.c: Protect outbuf in various pr_*() functions.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0060-ps/output.c: Protect outbuf in various pr_*() functions.

pr_bsdstart(): Replace "strcpy(outbuf," with "snprintf(outbuf, COLWID,"
(which is used in all surrounding functions). (side note: the fact that
many pr_*() functions simply return "snprintf(outbuf, COLWID," justifies
the "amount" checks added to show_one_proc() by the "ps/output.c:
Replace strcpy() with snprintf() in show_one_proc()." patch)

pr_stime(): Check the return value of strftime() (in case of an error,
"the contents of the array are undefined").

help_pr_sig(): Handle the "len < 8" case, otherwise "sig+len-8" may
point outside the sig string.

pr_context(): Handle the empty string case, or else "outbuf[len-1]"
points outside outbuf.

---------------------------- adapted for newlib branch
. logic is quite different with 'stacks' vs. 'proc_t'

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0059-ps/output.c: Enforce a safe range for max_rightward.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0059-ps/output.c: Enforce a safe range for max_rightward.

Enforce a maximum max_rightward of OUTBUF_SIZE-1, because it is used in
constructs such as "snprintf(outbuf, max_rightward+1," (we could remove
the extra check at the beginning of forest_helper() now, but we decided
to leave it, as a precaution and reminder).

The minimum max_rightward check is not strictly needed, because it is
unsigned. However, we decided to add it anyway:

- most of the other variables are signed;

- make it visually clear that this case is properly handled;

- ideally, the minimum max_rightward should be 1, not 0 (to prevent
  integer overflows such as "max_rightward-1"), but this might change
  the behavior/output of ps, so we decided against it, for now.

Instead, we fixed the only function that overflows if max_rightward is
0. Also, enforce the same safe range for max_leftward, although it is
never used throughout the code-base.

---------------------------- adapted for newlib branch
. adapted via 'patch' without rejections

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0058-ps/output.c: Replace strcpy() with snprintf() in show_one_proc().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0058-ps/output.c: Replace strcpy() with snprintf() in show_one_proc().

This strcpy() should normally not overflow outbuf, but names can be
overridden (via -o). Also, check "amount" in all cases.

---------------------------- adapted for newlib branch
. we don't use that 'likely/unlikely' crap in newlib

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0057-ps/output.c: Remove the page_shift variable.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0057-ps/output.c: Remove the page_shift variable.

It is static and not used anywhere.

---------------------------- adapted for newlib branch
. limited to whitespace/formatting differences

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0056-ps/output.c: Check return value of mmap() in init_output().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0056-ps/output.c: Check return value of mmap() in init_output().

We decided not to check the return value of the mprotect() calls,
because they are not vital to the operation of ps.

---------------------------- adapted for newlib branch
. many formatting/whitespace differences

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0055-ps/display.c: Harden show_tree().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0055-ps/display.c: Harden show_tree().

1/ Do not go deeper than the size of forest_prefix[], to prevent a
buffer overflow (sizeof(forest_prefix) is roughly 128K, but the maximum
/proc/sys/kernel/pid_max is 4M). (actually, we go deeper, but we stop
adding bytes to forest_prefix[])

2/ Always null-terminate forest_prefix[] at the current level.

---------------------------- adapted for newlib branch
. logic is quite different with 'stacks' vs. 'proc_t'
. a commented out 'debug' line was no longer present

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0054-ps/output.c: Fix outbuf overflows in pr_args() etc.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0054-ps/output.c: Fix outbuf overflows in pr_args() etc.

Because there is usually less than OUTBUF_SIZE available at endp.

---------------------------- adapted for newlib branch
. logic is quite different with 'stacks' vs. 'proc_t'
. ps no longer deals with the library 'FILL...' flags

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0053-ps/output.c: Harden forest_helper().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0053-ps/output.c: Harden forest_helper().

This patch solves several problems:

1/ Limit the number of characters written (to outbuf) to OUTBUF_SIZE-1
(-1 for the null-terminator).

2/ Always null-terminate outbuf at q.

3/ Move the "rightward" checks *before* the strcpy() calls.

4/ Avoid an integer overflow in these checks (e.g., rightward-4).

6 years ago0052-ps/output.c: Handle negative snprintf() return value.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0052-ps/output.c: Handle negative snprintf() return value.

May happen if strlen(src) > INT_MAX for example. This patch prevents
escaped_copy() from increasing maxroom and returning -1 (= number of
bytes consumed in dst).

---------------------------- adapted for newlib branch
. formerly applied to proc/escape.c
. function was moved to ps/output.c

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0048-ps/output.c: Make sure all escape*() arguments are safe.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0048-ps/output.c: Make sure all escape*() arguments are safe.

The SECURE_ESCAPE_ARGS() macro solves several potential problems
(although we found no problematic calls to the escape*() functions in
procps's code-base, but had to thoroughly review every call; and this is
library code):

1/ off-by-one overflows if the size of the destination buffer is 0;

2/ buffer overflows if this size (or "maxroom") is negative;

3/ integer overflows (for example, "*maxcells+1");

4/ always null-terminate the destination buffer (unless its size is 0).

---------------------------- adapted for newlib branch
. formerly applied to proc/escape.c
. function was moved to ps/output.c

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agops: move other initialization code after setREL macros
Jim Warner [Wed, 6 Jun 2018 05:00:00 +0000 (00:00 -0500)]
ps: move other initialization code after setREL macros

While the previous patch concerned an essential change
to avoid dereferencing those NULL pointers, this patch
could be considered optional. For consistency, it just
puts all initialization logic after the setREL macros.

[ plus along the way some inter-function spacing was ]
[ standardized with just a single blank line between ]

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agops: ensure functions not called prior to setREL macros
Jim Warner [Wed, 6 Jun 2018 05:00:00 +0000 (00:00 -0500)]
ps: ensure functions not called prior to setREL macros

Under newlib design, ps must loop though all potential
print functions so as to gather the appropriate enum's
while establishing the 'relative' equivalent. The keys
to the setREL/chkREL macros are a NULL 'outbuf' param.

It's imperative that no other functions be called with
that NULL value. Unfortunately, several instances were
found where this was violated. They are now corrected!

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agops/output.c: eliminate one irritating compiler warning
Jim Warner [Wed, 6 Jun 2018 05:00:00 +0000 (00:00 -0500)]
ps/output.c: eliminate one irritating compiler warning

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: provide the means to exploit a 256-color terminal
Jim Warner [Tue, 5 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: provide the means to exploit a 256-color terminal

With the Qualys security audit, we began to harden our
treatment of the top rcfile. In particular, the values
read were checked so as to prevent some malicious user
from editing it in order to achieve an evil objective.

However when it came to colors I was surprised to find
that at least one user edited the rcfile for 256-color
support. Unfortunately, our new checks prevented this.

So this commit will provide the means to exploit those
extra colors with no need to manually edit the rcfile.

Reference(s):
https://gitlab.com/procps-ng/procps/issues/96

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: sanitized some potentially corrupt 'Inspect' data
Jim Warner [Sun, 3 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: sanitized some potentially corrupt 'Inspect' data

This guards against rcfile 'Inspect' entries which may
include non-printable characters. While this shouldn't
occur, we have no real control over those crazy users.

[ and, while such data can't be used maliciously, it ]
[ does adversely impact such a user's screen display ]

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: prevent buffer overruns in 'inspection_utility()'
Jim Warner [Sun, 3 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: prevent buffer overruns in 'inspection_utility()'

For our master branch, a Qualys patch referenced below
was reverted as being unwarranted. That original patch
was not applied in this branch so there was no revert.

However, there was 1 specific problem their patch had,
in fact, prevented. Thus, this patch now addresses it.

Reference(s):
. original qualys patch
0109-top-Protect-scat-from-buffer-overflows.patch

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: add another field sanity check in 'config_file()'
Jim Warner [Sun, 3 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: add another field sanity check in 'config_file()'

Until the Qualys security audit I had never considered
it a possibility that some malicious person might edit
the top config file to achieve some nefarious results.

And while the Qualys approach tended to concentrate on
the symptoms from such an effort, subsequent revisions
more properly concentrated on startup and that rcfile.

This commit completes those efforts with 1 more field.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: don't mess with groff line length in man document
Jim Warner [Sun, 3 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: don't mess with groff line length in man document

I've long since forgotten why the attempt to influence
groff line lengths was made. However, I did receive an
email regarding problems formatting postscript output.

Hopefully this patch will eliminate any such problems.

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agolibrary: avoid problems involving 'supgid' mishandling
Jim Warner [Sun, 3 Jun 2018 05:00:00 +0000 (00:00 -0500)]
library: avoid problems involving 'supgid' mishandling

Following that patch referenced below, the top SUPGRPS
field would produce a segmentation fault and ps SUPGRP
would often show "(null)". Such problems resulted from
some faulty logic in the status2proc() routine dealing
with 'Groups' (supgid) which served as a source field.

For many processes the original code produced an empty
string which prevented conversion to the expected "-".
Moreover, prior to release 3.3.15 such an empty string
will become 0 after strtol() which pwcache_get_group()
translates to 'root' yielding very misleading results.

So, now we'll check for empty '/proc/#/status/Groups:'
fields & consistently provide a "-" value for callers.

[ we'll also protect against future problems in that ]
[ new qualys logic by always ensuring valid 'supgrp' ]
[ pointers - logic which revealed our original flaw! ]

Reference(s):
. original qualys patch
0071-proc-readproc.c-Harden-supgrps_from_supgids.patch

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agolibrary: refactor #define FALSE_THREADS dependent code
Jim Warner [Sun, 3 Jun 2018 05:00:00 +0000 (00:00 -0500)]
library: refactor #define FALSE_THREADS dependent code

This refactor was done in response to the Qualys patch
referenced below, which deals with some 'readeither()'
flaws under the master branch. Under our newlib branch
those flaws mostly disappear since the function is now
private. But without a redesign the #define is broken.

When the #define FALSE_THREADS is active, some special
strings showing "[ duplicate ENUM ]" will appear under
each child thread. Note that the real reason for those
appearing isn't being exercised, only their mechanics.

In reality, they only show when a user duplicates such
enums in a results stack & only 1 instance can own it.

Reference(s):
. original qualys patch
0084-proc-readproc.c-Work-around-a-design-flaw-in-readeit.patch
. QUICK_THREADS became FALSE_THREADS
commit c546d9dd4409ee11cd466c99a820a3b5dadfe3f4

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agolibrary: clean up some miscellaneous compiler warnings
Jim Warner [Sun, 3 Jun 2018 05:00:00 +0000 (00:00 -0500)]
library: clean up some miscellaneous compiler warnings

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: just respond to the increased command name length
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: just respond to the increased command name length

The command name for running tasks is displayed by top
in a variable length field, so the increase from 16 to
64 bytes was not a problem. However, there's one place
where top is sensitive to length - insp_view_choice().

So, this patch just bumps a buffer used to display it.

Reference(s):
. master branch increase to 64
commit 2cfdbbe897f0d4e41460c7c2b92acfc5804652c8

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: eliminate a couple of warnings of -Wunused-result
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: eliminate a couple of warnings of -Wunused-result

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: ensure sane rcfile values for the remaining stuff
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: ensure sane rcfile values for the remaining stuff

This will protect some remaining rcfile variables from
a possible manual editing of top's configuration file.

[ and correct two #error related boo-boos introduced ]
[ with the system default rcfile in the commit shown ]

Reference(s):
. introduced /etc/topdefaultrc
commit 55a42ae040eaa19fd3089f56d98ccbde5a9abc3a

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: Prevent out-of-bounds writes in PUFF(). __Tweaked
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: Prevent out-of-bounds writes in PUFF(). __Tweaked

This commit moves some overhead to the Batch mode path
where it's needed. And given the new 'else if' test we
can delete some now redundant logic in the other path.

Reference(s):
. original qualys patch
0117-top-Prevent-out-of-bounds-writes-in-PUFF.patch

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: address 'show_special()' o-o-b read/write concern
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: address 'show_special()' o-o-b read/write concern

This patch addresses a potential (but unlikely) buffer
overflow by reducing, if necessary, a memcpy length by
3 bytes to provide for an eol '\0' and 2 unused buffer
positions which also might receive the '\0' character.

[ note to future analysis tool: just because you see ]
[ binary data being manipulated in the routine, that ]
[ doesn't mean such function was passed binary data! ]

Reference(s):
. original qualys patch
0116-top-Fix-out-of-bounds-read-write-in-show_special.patch

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: prevent buffer overflow potential in all routines
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: prevent buffer overflow potential in all routines

Whereas an original patch (referenced below) addressed
some symptoms related to manually edited config files,
this solution deals with root causes. And it goes much
beyond any single top field by protecting all of top's
fields. Henceforth, a duplicated field is not allowed.

Reference(s):
. original qualys patch
0114-top-Prevent-buffer-overflow-in-calibrate_fields.patch

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: check sortindx risk exposure (not treat symptoms)
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: check sortindx risk exposure (not treat symptoms)

Rather than validate the window's 'sortindx' each time
it was referenced (as was done in the patch below), we
now ensure the validity just once when the config file
is read. Thereafter, a running top will police bounds.

Reference(s):
. original qualys patch
0102-top-Check-sortindx.patch

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: other graph_cpus, graph_mems, and summ_mscale fix
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: other graph_cpus, graph_mems, and summ_mscale fix

This patch replaces an original patch referenced below
(omitted under this branch). We now validate variables
'graph_cpus', 'graph_mems' and 'summ_mscale' just once
at startup. Thereafter, top enforces the proper range.

[ we afford the same treatment to that 'task_mscale' ]
[ variable, which was ignored in the original patch. ]

Reference(s):
. original qualys patch
0099-top-Check-graph_cpus-graph_mems-and-summ_mscale.patch

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agotop: Do not default to the cwd in configs_r... Tweaked
Jim Warner [Sat, 2 Jun 2018 05:00:00 +0000 (00:00 -0500)]
top: Do not default to the cwd in configs_r... Tweaked

While it's only documented (so far) in commit text and
an occasional email I've tried to maintain some coding
standards primarily for reference/navigation purposes.
They also served, I felt, as useful mental challenges.

Someday I will get around to formerly documenting them
but in the meantime here are the ones for this commit:

. functions are grouped into logical (i hope) sections
. functions & sections are ordered to avoid prototypes
. function names are alphabetical within every section
. all functions & sections must be referenced in top.h

This patch just attempts to honor the above standards,
while also covering this new behavior in the man page.

[ please note that the net result of these 2 patches ]
[ is simply to avoid pathname truncations should our ]
[ limit of 1024 be exceeded. they do not have a role ]
[ in solving the 'local privilege escalation' issue. ]

[ and we can never prevent a user from setting their ]
[ HOME var to a directory writable by some attacker! ]

[ the only real protection for that CVE-2018-1122 is ]
[ those soon to be enhanced rcfile integrity checks, ]
[ achieved through several of the following patches. ]

Reference(s):
. original qualys patch
0097-top-Do-not-default-to-the-cwd-in-configs_read.patch

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years agolibrary: adapt for increased (cmd) program name length
Jim Warner [Fri, 1 Jun 2018 05:00:00 +0000 (00:00 -0500)]
library: adapt for increased (cmd) program name length

In the new library 'cmd' is dynamically allocated just
like 'cmdline'. This will align us with the ref below.

Reference(s):
. master branch increase to 64
commit 2cfdbbe897f0d4e41460c7c2b92acfc5804652c8

Signed-off-by: Jim Warner <james.warner@comcast.net>
6 years ago0117-top: Prevent out-of-bounds writes in PUFF().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0117-top: Prevent out-of-bounds writes in PUFF().

This patch prevents three problems:

1/ Because snprintf() returns "the number of characters (excluding the
terminating null byte) which would have been written to the final string
if enough space had been available", _eol may point past the end of _str
and write out-of-bounds (in Batch mode).

2/ _eol is never checked against _str, so "while (*(--_eol) == ' ');"
may point _eol below _str and write out-of-bounds (in Batch mode).

3/ Sanity-check Pseudo_row to protect the strcpy().

6 years ago0115-top: Harden calibrate_fields().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0115-top: Harden calibrate_fields().

- Make sure i is at least 1 before "i - 1" and "--i".

- Initialize endpflg (to 0, as it was originally, since it is static)
  before the "for" loop (the "break" may leave endpflg uninitialized,
  for example).

6 years ago0113-top: Impose a minimum on Screen_cols.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0113-top: Impose a minimum on Screen_cols.

The safety of the critical function task_show() depends on the sanity of
Screen_cols. Just copy the tests on w_cols to Screen_cols (from the same
function adj_geometry()).

6 years ago0112-top: Prevent integer overflow in adj_geometry().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0112-top: Prevent integer overflow in adj_geometry().

6 years ago0111-top: Limit Width_mode to SCREENMAX.
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0111-top: Limit Width_mode to SCREENMAX.

adj_geometry() limits to SCREENMAX too, but belt and suspenders, and
might as well tell the user about it.

6 years ago0110-top: Prevent integer overflows in config_file() and other_selection().
Qualys Security Advisory [Thu, 1 Jan 1970 00:00:00 +0000 (00:00 +0000)]
0110-top: Prevent integer overflows in config_file() and other_selection().