summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2017-12-30 07:19:06 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2017-12-30 07:19:06 +0000
commit45b33350e6fe5b2b74baa91e4a075cdc10c2c335 (patch)
tree1d05d87421b0406d88819a46cc149fb691173a4b /usr.bin
parent63391c8a5db16675a09e2b85adb79f92a443bdd2 (diff)
Avoid one-byte overflow in error path. If the format string ends in an
invalid specifier like `%l', p will already point to the trailing NUL upon entering the switch, wherein the instruction *++p = '\0'; will write another NUL after it, but there is no guarantee that the buffer extends beyond that first NUL; thus, in the rare case where it does not, this assignment will write one byte past its end. from kshe
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/jot/jot.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/usr.bin/jot/jot.c b/usr.bin/jot/jot.c
index 12b1fc5116b..8e07223786f 100644
--- a/usr.bin/jot/jot.c
+++ b/usr.bin/jot/jot.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: jot.c,v 1.39 2017/12/15 14:20:52 tb Exp $ */
+/* $OpenBSD: jot.c,v 1.40 2017/12/30 07:19:05 tb Exp $ */
/* $NetBSD: jot.c,v 1.3 1994/12/02 20:29:43 pk Exp $ */
/*-
@@ -406,8 +406,7 @@ getformat(void)
if (*p == 'l') {
longdata = true;
if (*++p == 'l') {
- if (p[1] != '\0')
- p++;
+ p++;
goto fmt_broken;
}
}
@@ -449,7 +448,8 @@ getformat(void)
/* FALLTHROUGH */
default:
fmt_broken:
- *++p = '\0';
+ if (*p != '\0')
+ p[1] = '\0';
errx(1, "illegal or unsupported format '%s'", p2);
}
while (*++p != '\0')