From f630a3e6042f2ce6895a16b876b427ebdd8b0f3d Mon Sep 17 00:00:00 2001 From: Jfreegman Date: Fri, 25 Jul 2014 17:55:21 -0400 Subject: [PATCH] fix possible buffer overflows and undefined behaviour --- src/autocomplete.c | 4 ++-- src/chat_commands.c | 4 ++-- src/execute.c | 4 +++- src/input.c | 7 ++----- src/log.c | 2 +- src/toxic_strings.c | 2 +- 6 files changed, 11 insertions(+), 12 deletions(-) diff --git a/src/autocomplete.c b/src/autocomplete.c index b5b3966..e193975 100644 --- a/src/autocomplete.c +++ b/src/autocomplete.c @@ -178,7 +178,7 @@ int complete_line(ToxWindow *self, const void *list, int n_items, int size) int strt = ctx->pos - s_len; int diff = m_len - s_len + n_endchrs; - if (ctx->len + diff > MAX_STR_SIZE) + if (ctx->len + diff >= MAX_STR_SIZE) return -1; char tmpend[MAX_STR_SIZE]; @@ -220,7 +220,7 @@ static void complt_home_dir(ToxWindow *self, char *path) int newlen = wcslen(wline); - if (ctx->len + newlen > MAX_STR_SIZE) + if (ctx->len + newlen >= MAX_STR_SIZE) return; wmemcpy(ctx->line, wline, newlen + 1); diff --git a/src/chat_commands.c b/src/chat_commands.c index 0c6b2f7..26f9ec8 100644 --- a/src/chat_commands.c +++ b/src/chat_commands.c @@ -172,7 +172,7 @@ void cmd_sendfile(WINDOW *window, ToxWindow *self, Tox *m, int argc, char (*argv int path_len = strlen(path) - 1; path[path_len] = '\0'; - if (path_len > MAX_STR_SIZE) { + if (path_len >= MAX_STR_SIZE) { errmsg = "File path exceeds character limit."; line_info_add(self, NULL, NULL, NULL, SYS_MSG, 0, 0, errmsg); return; @@ -190,7 +190,7 @@ void cmd_sendfile(WINDOW *window, ToxWindow *self, Tox *m, int argc, char (*argv uint64_t filesize = ftell(file_to_send); fseek(file_to_send, 0, SEEK_SET); - char filename[MAX_STR_SIZE]; + char filename[MAX_STR_SIZE] = {0}; get_file_name(filename, sizeof(filename), path); int filenum = tox_new_file_sender(m, self->num, filesize, (const uint8_t *) filename, strlen(filename)); diff --git a/src/execute.c b/src/execute.c index ed928fe..11da31b 100644 --- a/src/execute.c +++ b/src/execute.c @@ -114,7 +114,9 @@ static int parse_command(WINDOW *w, ToxWindow *self, const char *input, char (*a if (cmd[i] == '\0') /* no more args */ break; - strcpy(cmd, &cmd[i + 1]); + char tmp[MAX_STR_SIZE]; + snprintf(tmp, sizeof(tmp), "%s", &cmd[i + 1]); + strcpy(cmd, tmp); } free(cmd); diff --git a/src/input.c b/src/input.c index 97b2543..2f4a508 100644 --- a/src/input.c +++ b/src/input.c @@ -145,16 +145,13 @@ static void input_mv_left(ToxWindow *self, int x, int mx_x) if (ctx->pos <= 0) return; - int cur_len = wcwidth(ctx->line[ctx->pos - 1]); + int cur_len = ctx->pos > 0 ? wcwidth(ctx->line[ctx->pos - 1]) : 0; + int s_len = ctx->start > 0 ? wcwidth(ctx->line[ctx->start - 1]) : 0; --ctx->pos; - int s_len = wcwidth(ctx->line[ctx->start - 1]); - if (ctx->start && (x >= mx_x - cur_len)) ctx->start = MAX(0, ctx->start - 1 + (s_len - cur_len)); - else if (ctx->start && (ctx->pos == ctx->len)) - ctx->start = MAX(0, ctx->start - cur_len); else if (ctx->start) ctx->start = MAX(0, ctx->start - cur_len); } diff --git a/src/log.c b/src/log.c index eb07a4e..9d7c7d6 100644 --- a/src/log.c +++ b/src/log.c @@ -59,7 +59,7 @@ void init_logging_session(char *name, char *key, struct chatlog *log) path_len += strlen(ident) + 1; } - if (path_len > MAX_STR_SIZE) { + if (path_len >= MAX_STR_SIZE) { log->log_on = false; free(user_config_dir); return; diff --git a/src/toxic_strings.c b/src/toxic_strings.c index 932a0c8..b7eb880 100644 --- a/src/toxic_strings.c +++ b/src/toxic_strings.c @@ -170,7 +170,7 @@ static void shift_hist_back(ChatContext *ctx) /* adds a line to the ln_history buffer at hst_pos and sets hst_pos to end of history. */ void add_line_to_hist(ChatContext *ctx) { - if (ctx->len > MAX_STR_SIZE) + if (ctx->len >= MAX_STR_SIZE) return; if (ctx->hst_tot >= MAX_LINE_HIST)