From 669713d43f8a014ba481265d4c58c3fe575527b4 Mon Sep 17 00:00:00 2001 From: Ray Lai Date: Mon, 23 May 2016 22:30:52 +0800 Subject: 9term: Add missing parentheses, preventing buffer overflow. (el-sr) is the string length and (sizeof wdir - strlen(name) - 20) is the buffer size. When the string length is greater than the buffer size, the beginning of the string is supposed to be trimmed to fit in the buffer size. Unfortunately a pair of parentheses were missing, pointing sr outside the buffer, and the for loop below then reads outside the buffer. For certain binary data printed in a window, it causes a segfault. Change-Id: Iffeaa348260ee2a5a36d9577308fb8d1c1688d05 Reviewed-on: https://plan9port-review.googlesource.com/1540 Reviewed-by: Gleydson Soares --- src/cmd/9term/win.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/cmd') diff --git a/src/cmd/9term/win.c b/src/cmd/9term/win.c index 032f9ded..017d546b 100644 --- a/src/cmd/9term/win.c +++ b/src/cmd/9term/win.c @@ -634,7 +634,7 @@ label(char *sr, int n) el = r+1; if(el-sr > sizeof wdir - strlen(name) - 20) - sr = el - sizeof wdir - strlen(name) - 20; + sr = el - (sizeof wdir - strlen(name) - 20); for(sl=el-3; sl>=sr; sl--) if(sl[0]=='\033' && sl[1]==']' && sl[2]==';') break; -- cgit v1.2.3