From 1f3b7755dd27c8a58868cfac8cdbe7690160f9f3 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Wed, 24 Jun 2015 09:51:49 +0200 Subject: erec: fix buffer overflow A static array was used to read data and to write information in it without checking the limit of the array. The result was a buffer overflow when the line was longer than 1024. This patch now uses a allocated buffer to avoid the problem. Signed-off-by: Eric Leblond Signed-off-by: Pablo Neira Ayuso --- src/erec.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'src/erec.c') diff --git a/src/erec.c b/src/erec.c index 810e9bfd..8abed4d9 100644 --- a/src/erec.c +++ b/src/erec.c @@ -12,6 +12,7 @@ #include #include #include +#include #include #include @@ -82,6 +83,7 @@ void erec_print(FILE *f, const struct error_record *erec) const struct input_descriptor *indesc = loc->indesc, *tmp; const char *line = NULL; /* silence gcc */ char buf[1024]; + char *pbuf = NULL; unsigned int i, end; int l, ret; @@ -141,17 +143,22 @@ void erec_print(FILE *f, const struct error_record *erec) if (indesc->type != INDESC_INTERNAL) fprintf(f, "%s\n", line); - memset(buf, ' ', sizeof(buf)); end = 0; + for (l = erec->num_locations - 1; l >= 0; l--) { + loc = &erec->locations[l]; + end = max(end, loc->last_column); + } + pbuf = xmalloc(end + 1); + memset(pbuf, ' ', end + 1); for (l = erec->num_locations - 1; l >= 0; l--) { loc = &erec->locations[l]; for (i = loc->first_column ? loc->first_column - 1 : 0; i < loc->last_column; i++) - buf[i] = l ? '~' : '^'; - end = max(end, loc->last_column); + pbuf[i] = l ? '~' : '^'; } - buf[end] = '\0'; - fprintf(f, "%s", buf); + pbuf[end] = '\0'; + fprintf(f, "%s", pbuf); + xfree(pbuf); } fprintf(f, "\n"); } -- cgit v1.2.3