diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2017-12-30 07:19:06 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2017-12-30 07:19:06 +0000 |
commit | 45b33350e6fe5b2b74baa91e4a075cdc10c2c335 (patch) | |
tree | 1d05d87421b0406d88819a46cc149fb691173a4b /usr.bin | |
parent | 63391c8a5db16675a09e2b85adb79f92a443bdd2 (diff) |
Avoid one-byte overflow in error path. If the format string ends in an
invalid specifier like `%l', p will already point to the trailing NUL
upon entering the switch, wherein the instruction
*++p = '\0';
will write another NUL after it, but there is no guarantee that the
buffer extends beyond that first NUL; thus, in the rare case where it
does not, this assignment will write one byte past its end.
from kshe
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/jot/jot.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/usr.bin/jot/jot.c b/usr.bin/jot/jot.c index 12b1fc5116b..8e07223786f 100644 --- a/usr.bin/jot/jot.c +++ b/usr.bin/jot/jot.c @@ -1,4 +1,4 @@ -/* $OpenBSD: jot.c,v 1.39 2017/12/15 14:20:52 tb Exp $ */ +/* $OpenBSD: jot.c,v 1.40 2017/12/30 07:19:05 tb Exp $ */ /* $NetBSD: jot.c,v 1.3 1994/12/02 20:29:43 pk Exp $ */ /*- @@ -406,8 +406,7 @@ getformat(void) if (*p == 'l') { longdata = true; if (*++p == 'l') { - if (p[1] != '\0') - p++; + p++; goto fmt_broken; } } @@ -449,7 +448,8 @@ getformat(void) /* FALLTHROUGH */ default: fmt_broken: - *++p = '\0'; + if (*p != '\0') + p[1] = '\0'; errx(1, "illegal or unsupported format '%s'", p2); } while (*++p != '\0') |