diff options
author | Todd C. Miller <millert@cvs.openbsd.org> | 2003-10-16 22:08:49 +0000 |
---|---|---|
committer | Todd C. Miller <millert@cvs.openbsd.org> | 2003-10-16 22:08:49 +0000 |
commit | 8e3075cd922ea1b4380ab1ff5ad94b98bb787bcc (patch) | |
tree | fb7c2fcd3ba19fa73cc9a77710be2638ee075cc1 /bin/ksh/vi.c | |
parent | 0c135f864819a69591c4493fbd6fcea2144c55ab (diff) |
Buffers are not strings so use memcpy(), not strlcpy() to copy them.
Found by danh@ with JG malloc options. I've also added some further
bounds checks in the name of paranoia. Tested by danh and others.
Diffstat (limited to 'bin/ksh/vi.c')
-rw-r--r-- | bin/ksh/vi.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/bin/ksh/vi.c b/bin/ksh/vi.c index 82392a2c73b..dec41a44bf6 100644 --- a/bin/ksh/vi.c +++ b/bin/ksh/vi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: vi.c,v 1.11 2003/03/13 09:03:07 deraadt Exp $ */ +/* $OpenBSD: vi.c,v 1.12 2003/10/16 22:08:48 millert Exp $ */ /* * vi command editing @@ -238,7 +238,7 @@ x_vi(buf, len) x_putc('\r'); x_putc('\n'); x_flush(); - if (c == -1) + if (c == -1 || len <= es->linelen) return -1; if (es->cbuf != buf) @@ -462,15 +462,22 @@ vi_hook(ch) else { locpat[srchlen++] = ch; if ((ch & 0x80) && Flag(FVISHOW8)) { + if (es->linelen + 2 > es->cbufsize) + vi_error(); es->cbuf[es->linelen++] = 'M'; es->cbuf[es->linelen++] = '-'; ch &= 0x7f; } if (ch < ' ' || ch == 0x7f) { + if (es->linelen + 2 > es->cbufsize) + vi_error(); es->cbuf[es->linelen++] = '^'; es->cbuf[es->linelen++] = ch ^ '@'; - } else + } else { + if (es->linelen >= es->cbufsize) + vi_error(); es->cbuf[es->linelen++] = ch; + } es->cursor = es->linelen; refresh(0); } @@ -693,7 +700,7 @@ vi_insert(ch) /* End nonstandard vi commands } */ default: - if (es->linelen == es->cbufsize - 1) + if (es->linelen >= es->cbufsize - 1) return -1; ibuf[inslen++] = ch; if (insert == INSERT) { @@ -1405,8 +1412,8 @@ save_edstate(old) new = (struct edstate *)alloc(sizeof(struct edstate), APERM); new->cbuf = alloc(old->cbufsize, APERM); + memcpy(new->cbuf, old->cbuf, old->linelen); new->cbufsize = old->cbufsize; - strlcpy(new->cbuf, old->cbuf, new->cbufsize); new->linelen = old->linelen; new->cursor = old->cursor; new->winleft = old->winleft; @@ -1417,7 +1424,7 @@ static void restore_edstate(new, old) struct edstate *old, *new; { - strncpy(new->cbuf, old->cbuf, old->linelen); + memcpy(new->cbuf, old->cbuf, old->linelen); new->linelen = old->linelen; new->cursor = old->cursor; new->winleft = old->winleft; |