Review mlforce to avoid necessity to double '%' in input string, thus avoiding potential buffer overflow in caller functions (mdbugout and write-message).

2024-11-05 11:57:16 -05:00 · 2015-01-15 17:57:12 +08:00 · 2015-01-15 17:57:12 +08:00 · 434c9ba7ab
commit 434c9ba7ab
parent 01a84a3ac0
3 changed files with 14 additions and 50 deletions
--- a/display.c
+++ b/display.c
@ -1418,13 +1418,12 @@ void mlwrite(const char *fmt, ...)
 *
 * char *s;		string to force out
 */
-void mlforce(char *s)
-{
+void mlforce( char *s) {
 	int oldcmd;	/* original command display flag */

 	oldcmd = discmd;	/* save the discmd value */
 	discmd = TRUE;		/* and turn display on */
-	mlwrite(s);		/* write the string out */
+	mlwrite( "%s", s) ;	/* write the string out */
 	discmd = oldcmd;	/* and restore the original setting */
 }

--- a/eval.c
+++ b/eval.c
@ -799,7 +799,6 @@ int setvar(int f, int n)
 int mdbugout( char *fmt, char *s1, char *s2, char *s3) {
 	char outline[ NSTRING] ;	/* global string to hold debug line text */
 	int	c, size ;	/* input from kbd, output to terminal */
-	char *sp ;	/* temp string pointer */

 	/* insure debug info fits in terminal and buffer width */
 	size = term.t_ncol + 1 ;
@ -809,33 +808,14 @@ int mdbugout( char *fmt, char *s1, char *s2, char *s3) {
 	/* assignment status ; variable name ; value we tried to assign  */
 	snprintf( outline, size, fmt, s1, s2, s3) ;

-	/* expand '%' to "%%" so mlwrite wont bitch */
-	sp = outline;
-	while (*sp)
-		if (*sp++ == '%') {
-			char *ep ;	/* ptr to end of outline */
-
-			/* advance to the end */
-			ep = --sp;
-			while (*ep++);
-			/* null terminate the string one out */
-			*(ep + 1) = 0;
-			/* copy backwards */
-			while (ep-- > sp)
-				*(ep + 1) = *ep;
-
-			/* and advance sp past the new % */
-			sp += 2;
-		}
-
 	/* write out the debug line */
-	mlforce(outline);
-	update(TRUE);
+	mlforce( outline) ;
+	update( TRUE) ;

 	/* and get the keystroke to hold the output */
 	c = get1key() ;
 	if( c == abortc)
-		mlforce("(Macro aborted)");
+		mlforce( "(Macro aborted)") ;

 	return c ;
 }
--- a/random.c
+++ b/random.c
@ -1016,10 +1016,9 @@ int adjustmode(int kind, int global)
 *
 * int f, n;		arguments ignored
 */
-int clrmes(int f, int n)
-{
-	mlforce("");
-	return TRUE;
+int clrmes( int f, int n) {
+	mlforce( "") ;
+	return TRUE ;
 }

 /*
@ -1028,31 +1027,17 @@ int clrmes(int f, int n)
 *
 * int f, n;		arguments ignored
 */
-int writemsg(int f, int n)
-{
-	char *sp;	/* pointer into buf to expand %s */
-	char *np;	/* ptr into nbuf */
+int writemsg( int f, int n) {
 	int status;
 	char buf[ NSTRING] ;		/* buffer to recieve message into */
-	char nbuf[ NSTRING * 2] ;	/* buffer to expand string into */

-	if ((status =
-	     mlreply("Message to write: ", buf, sizeof buf - 1)) != TRUE)
-		return status;
-
-	/* expand all '%' to "%%" so mlwrite won't expect arguments */
-	sp = buf;
-	np = nbuf;
-	while (*sp) {
-		*np++ = *sp;
-		if (*sp++ == '%')
-			*np++ = '%';
-	}
-	*np = '\0';
+	status = mlreply( "Message to write: ", buf, sizeof buf - 1) ;
+	if( status != TRUE)
+		return status ;

 	/* write the message out */
-	mlforce(nbuf);
-	return TRUE;
+	mlforce( buf) ;
+	return TRUE ;
 }

 #if	CFENCE