Don't blindly increase offsets by the return value of snprintf, if there

wasn't enough space this will go off the end. Instead clamp to the
available space. Fixes crash reported by Julien Rebetez.

3 files changed, 27 insertions, 15 deletions

diff --git a/usr.bin/tmux/arguments.c b/usr.bin/tmux/arguments.c
index 5d3fa331ce2..0dfb3ddb785 100644
--- a/usr.bin/tmux/arguments.c
+++ b/usr.bin/tmux/arguments.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: arguments.c,v 1.8 2014/01/15 11:44:18 nicm Exp $ */
+/* $OpenBSD: arguments.c,v 1.9 2014/04/11 19:35:54 nicm Exp $ */
 
 /*
  * Copyright (c) 2010 Nicholas Marriott <nicm@users.sourceforge.net>
@@ -125,7 +125,7 @@ args_free(struct args *args)
 size_t
 args_print(struct args *args, char *buf, size_t len)
 {
-	size_t		 	 off;
+	size_t		 	 off, used;
 	int			 i;
 	const char		*quotes;
 	struct args_entry	*entry;
@@ -165,9 +165,12 @@ args_print(struct args *args, char *buf, size_t len)
 			quotes = "\"";
 		else
 			quotes = "";
-		off += xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
+		used = xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
 		    off != 0 ? " " : "", entry->flag, quotes, entry->value,
 		    quotes);
+		if (used > len - off)
+			used = len - off;
+		off += used;
 	}
 
 	/* And finally the argument vector. */
@@ -181,8 +184,11 @@ args_print(struct args *args, char *buf, size_t len)
 			quotes = "\"";
 		else
 			quotes = "";
-		off += xsnprintf(buf + off, len - off, "%s%s%s%s",
+		used = xsnprintf(buf + off, len - off, "%s%s%s%s",
 		    off != 0 ? " " : "", quotes, args->argv[i], quotes);
+		if (used > len - off)
+			used = len - off;
+		off += used;
 	}
 
 	return (off);
diff --git a/usr.bin/tmux/cmd-list.c b/usr.bin/tmux/cmd-list.c
index 59962e008aa..5295840a050 100644
--- a/usr.bin/tmux/cmd-list.c
+++ b/usr.bin/tmux/cmd-list.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cmd-list.c,v 1.12 2013/03/24 09:54:10 nicm Exp $ */
+/* $OpenBSD: cmd-list.c,v 1.13 2014/04/11 19:35:54 nicm Exp $ */
 
 /*
  * Copyright (c) 2009 Nicholas Marriott <nicm@users.sourceforge.net>
@@ -103,7 +103,7 @@ size_t
 cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
 {
 	struct cmd	*cmd;
-	size_t		 off;
+	size_t		 off, used;
 
 	off = 0;
 	TAILQ_FOREACH(cmd, &cmdlist->list, qentry) {
@@ -112,8 +112,12 @@ cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
 		off += cmd_print(cmd, buf + off, len - off);
 		if (off >= len)
 			break;
-		if (TAILQ_NEXT(cmd, qentry) != NULL)
-			off += xsnprintf(buf + off, len - off, " ; ");
+		if (TAILQ_NEXT(cmd, qentry) != NULL) {
+			used = xsnprintf(buf + off, len - off, " ; ");
+			if (used > len - off)
+				used = len - off;
+			off += used;
+		}
 	}
 	return (off);
 }
diff --git a/usr.bin/tmux/window-copy.c b/usr.bin/tmux/window-copy.c
index 7e04b713666..32065cf5e12 100644
--- a/usr.bin/tmux/window-copy.c
+++ b/usr.bin/tmux/window-copy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: window-copy.c,v 1.104 2014/04/03 08:20:29 nicm Exp $ */
+/* $OpenBSD: window-copy.c,v 1.105 2014/04/11 19:35:54 nicm Exp $ */
 
 /*
  * Copyright (c) 2007 Nicholas Marriott <nicm@users.sourceforge.net>
@@ -1194,8 +1194,8 @@ window_copy_write_line(
 		screen_write_puts(ctx, &gc, "%s", hdr);
 	} else if (py == last && data->inputtype != WINDOW_COPY_OFF) {
 		limit = sizeof hdr;
-		if (limit > screen_size_x(s))
-			limit = screen_size_x(s);
+		if (limit > screen_size_x(s) + 1)
+			limit = screen_size_x(s) + 1;
 		if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) {
 			xoff = size = xsnprintf(hdr, limit,
 			    "Repeat: %u", data->numprefix);
@@ -1208,10 +1208,12 @@ window_copy_write_line(
 	} else
 		size = 0;
 
-	screen_write_cursormove(ctx, xoff, py);
-	screen_write_copy(ctx, data->backing, xoff,
-	    (screen_hsize(data->backing) - data->oy) + py,
-	    screen_size_x(s) - size, 1);
+	if (size < screen_size_x(s)) {
+		screen_write_cursormove(ctx, xoff, py);
+		screen_write_copy(ctx, data->backing, xoff,
+		    (screen_hsize(data->backing) - data->oy) + py,
+		    screen_size_x(s) - size, 1);
+	}
 
 	if (py == data->cy && data->cx == screen_size_x(s)) {
 		memcpy(&gc, &grid_default_cell, sizeof gc);