diff options
| author |   millert <millert@openbsd.org> | 2014-12-03 16:44:55 +0000 |
|---|---|---|
| committer | millert <millert@openbsd.org> | 2014-12-03 16:44:55 +0000 |
| commit | 1e6d196437f7fc740319ee1966b7ad9045a32605 (patch) | |
| tree | 5641111851a234ddca8d57863d7734d87b64282f | |
| parent | Restore packetp and snapend pointers once we're done with an incorrectly (diff) | |
| download | wireguard-openbsd-1e6d196437f7fc740319ee1966b7ad9045a32605.tar.xz wireguard-openbsd-1e6d196437f7fc740319ee1966b7ad9045a32605.zip | |
Fix buffer overflow in .PS parsing. Found by afl and based on a
diff from jsg@. OK jsg@
| -rw-r--r-- | usr.bin/deroff/deroff.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/usr.bin/deroff/deroff.c b/usr.bin/deroff/deroff.c index 6cbb53d23b8..6b50bc14f28 100644 --- a/usr.bin/deroff/deroff.c +++ b/usr.bin/deroff/deroff.c @@ -1,4 +1,4 @@ -/* $OpenBSD: deroff.c,v 1.8 2009/10/27 23:59:37 deraadt Exp $ */ +/* $OpenBSD: deroff.c,v 1.9 2014/12/03 16:44:55 millert Exp $ */ /*- * Copyright (c) 1988, 1993 @@ -745,10 +745,11 @@ void inpic(void) { int c1; - char *p1; + char *p1, *ep; SKIP; p1 = line; + ep = line + sizeof(line) - 1; c = '\n'; for (;;) { c1 = c; @@ -781,8 +782,11 @@ inpic(void) continue; ungetc(c, infile); backsl(); - } else + } else if (p1 + 1 >= ep) { + errx(1, ".PS length exceeds limit"); + } else { *p1++ = c; + } } *p1++ = ' '; } |