nyancat

Unnamed repository; edit this file 'description' to name the repository.
git clone https://git.inz.fi/nyancat
Log | Files | Refs | README

commit 3bc3ad41085ae6947f39912b0744a3eaf48bf4a3
parent d558de603d29a0054e93294272861fd3ea2f0785
Author: Santtu Lakkala <inz@inz.fi>
Date:   Mon, 20 Jul 2020 10:44:47 +0300

Fix crashes

The process() function exepcted terminating zero, which is not used, use
length checks instead.

Diffstat:
Mnyancat.c | 13+++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/nyancat.c b/nyancat.c @@ -311,16 +311,18 @@ ssize_t lc_process(struct lolcat *lc, const char *buffer, int32_t len) return ip; if (c == '\x1b') { - if (!buffer[i]) + if (i >= len) return ip; if (buffer[i] == '[') { size_t n_args; char cmd; + if (i + 1 >= len) + return ip; if (buffer[i + 1] == '?') { n_args = strnspn(buffer + i + 2, len - i - 2, "0123456789;"); - if (!buffer[i + 2 + n_args]) + if (i + 2 + n_args >= len) return ip; lc->write(buffer + ip, n_args + 4, lc->write_data); @@ -329,6 +331,8 @@ ssize_t lc_process(struct lolcat *lc, const char *buffer, int32_t len) } n_args = strnspn(buffer + i + 1, len - i - 1, "0123456789;"); + if (i + 1 + n_args >= len) + return ip; cmd = buffer[i + 1 + n_args]; if (!cmd) @@ -402,12 +406,9 @@ ssize_t lc_process(struct lolcat *lc, const char *buffer, int32_t len) } if (buffer[i] == '(') { size_t n_args; - char cmd; n_args = strnspn(buffer + i + 1, len - i - 1, "0123456789;"); - cmd = buffer[i + 1 + n_args]; - - if (!cmd) + if (i + 1 + n_args >= len) return ip; lc->write(buffer + ip, n_args + 3,