|
0 |
From: Willi Mann <willi@debian.org>
|
|
1 |
Date: Sat, 31 Dec 2016 14:43:10 +0100
|
|
2 |
Subject: convert.c: Use safe buffer size and snprintf
|
|
3 |
|
|
4 |
cmd_expand, cmd_emboss, and cmd_engrave print an integer to a stack buffer.
|
|
5 |
Unfortunately, the previous buffer size of 10 is to small (e.g., to store -1 *
|
|
6 |
10^9), such that a buffer overflow could be provoked. This patch increases the
|
|
7 |
buffer size to 12 and switches to snprintf.
|
|
8 |
|
|
9 |
Bug-Debian: https://bugs.debian.org/849705
|
|
10 |
---
|
|
11 |
src/convert.c | 12 ++++++------
|
|
12 |
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
13 |
|
|
14 |
diff --git a/src/convert.c b/src/convert.c
|
|
15 |
index c76d7d6..5294743 100644
|
|
16 |
--- a/src/convert.c
|
|
17 |
+++ b/src/convert.c
|
|
18 |
@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
|
|
19 |
|
|
20 |
static int
|
|
21 |
cmd_expand (Word *w, int align, char has_param, int param) {
|
|
22 |
- char str[10];
|
|
23 |
+ char str[12];
|
|
24 |
if (has_param) {
|
|
25 |
- sprintf(str, "%d", param/4);
|
|
26 |
+ snprintf(str, 12, "%d", param/4);
|
|
27 |
if (!param)
|
|
28 |
attr_pop(ATTR_EXPAND);
|
|
29 |
else
|
|
30 |
@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
|
|
31 |
|
|
32 |
static int
|
|
33 |
cmd_emboss (Word *w, int align, char has_param, int param) {
|
|
34 |
- char str[10];
|
|
35 |
+ char str[12];
|
|
36 |
if (has_param && !param)
|
|
37 |
#ifdef SUPPORT_UNNESTED
|
|
38 |
attr_find_pop(ATTR_EMBOSS);
|
|
39 |
@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
|
|
40 |
#endif
|
|
41 |
else
|
|
42 |
{
|
|
43 |
- sprintf(str, "%d", param);
|
|
44 |
+ snprintf(str, 12, "%d", param);
|
|
45 |
attr_push(ATTR_EMBOSS, str);
|
|
46 |
}
|
|
47 |
return FALSE;
|
|
48 |
@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
|
|
49 |
|
|
50 |
static int
|
|
51 |
cmd_engrave (Word *w, int align, char has_param, int param) {
|
|
52 |
- char str[10];
|
|
53 |
+ char str[12];
|
|
54 |
if (has_param && !param)
|
|
55 |
attr_pop(ATTR_ENGRAVE);
|
|
56 |
else
|
|
57 |
{
|
|
58 |
- sprintf(str, "%d", param);
|
|
59 |
+ snprintf(str, 12, "%d", param);
|
|
60 |
attr_push(ATTR_ENGRAVE, str);
|
|
61 |
}
|
|
62 |
return FALSE;
|