From: Willi Mann <willi@debian.org>
Date: Sat, 31 Dec 2016 14:43:10 +0100
Subject: convert.c: Use safe buffer size and snprintf
cmd_expand, cmd_emboss, and cmd_engrave print an integer to a stack buffer.
Unfortunately, the previous buffer size of 10 is to small (e.g., to store -1 *
10^9), such that a buffer overflow could be provoked. This patch increases the
buffer size to 12 and switches to snprintf.
Bug-Debian: https://bugs.debian.org/849705
---
src/convert.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/convert.c b/src/convert.c
index c76d7d6..5294743 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
static int
cmd_expand (Word *w, int align, char has_param, int param) {
- char str[10];
+ char str[12];
if (has_param) {
- sprintf(str, "%d", param/4);
+ snprintf(str, 12, "%d", param/4);
if (!param)
attr_pop(ATTR_EXPAND);
else
@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
static int
cmd_emboss (Word *w, int align, char has_param, int param) {
- char str[10];
+ char str[12];
if (has_param && !param)
#ifdef SUPPORT_UNNESTED
attr_find_pop(ATTR_EMBOSS);
@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
#endif
else
{
- sprintf(str, "%d", param);
+ snprintf(str, 12, "%d", param);
attr_push(ATTR_EMBOSS, str);
}
return FALSE;
@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
static int
cmd_engrave (Word *w, int align, char has_param, int param) {
- char str[10];
+ char str[12];
if (has_param && !param)
attr_pop(ATTR_ENGRAVE);
else
{
- sprintf(str, "%d", param);
+ snprintf(str, 12, "%d", param);
attr_push(ATTR_ENGRAVE, str);
}
return FALSE;