commit 3bc3ad41085ae6947f39912b0744a3eaf48bf4a3
parent d558de603d29a0054e93294272861fd3ea2f0785
Author: Santtu Lakkala <inz@inz.fi>
Date: Mon, 20 Jul 2020 10:44:47 +0300
Fix crashes
The process() function exepcted terminating zero, which is not used, use
length checks instead.
Diffstat:
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/nyancat.c b/nyancat.c
@@ -311,16 +311,18 @@ ssize_t lc_process(struct lolcat *lc, const char *buffer, int32_t len)
return ip;
if (c == '\x1b') {
- if (!buffer[i])
+ if (i >= len)
return ip;
if (buffer[i] == '[') {
size_t n_args;
char cmd;
+ if (i + 1 >= len)
+ return ip;
if (buffer[i + 1] == '?') {
n_args = strnspn(buffer + i + 2,
len - i - 2,
"0123456789;");
- if (!buffer[i + 2 + n_args])
+ if (i + 2 + n_args >= len)
return ip;
lc->write(buffer + ip, n_args + 4,
lc->write_data);
@@ -329,6 +331,8 @@ ssize_t lc_process(struct lolcat *lc, const char *buffer, int32_t len)
}
n_args = strnspn(buffer + i + 1, len - i - 1,
"0123456789;");
+ if (i + 1 + n_args >= len)
+ return ip;
cmd = buffer[i + 1 + n_args];
if (!cmd)
@@ -402,12 +406,9 @@ ssize_t lc_process(struct lolcat *lc, const char *buffer, int32_t len)
}
if (buffer[i] == '(') {
size_t n_args;
- char cmd;
n_args = strnspn(buffer + i + 1, len - i - 1,
"0123456789;");
- cmd = buffer[i + 1 + n_args];
-
- if (!cmd)
+ if (i + 1 + n_args >= len)
return ip;
lc->write(buffer + ip, n_args + 3,
