From e1bb09be17d41880b391cdcbe9d968f8964928ff Mon Sep 17 00:00:00 2001 From: Ingo Schwarze Date: Wed, 23 Apr 2014 16:08:33 +0000 Subject: Audit strlcpy(3)/strlcat(3) usage. * Repair three instances of silent truncation, use asprintf(3). * Change two instances of strlen(3)+malloc(3)+strlcpy(3)+strlcat(3)+... to use asprintf(3) instead to make them less error prone. * Cast the return value of four instances where the destination buffer is known to be large enough to (void). * Completely remove three useless instances of strlcpy(3)/strlcat(3). * Mark two places in -Thtml with XXX that can cause information loss and crashes but are not easy to fix, requiring design changes of some internal interfaces. * The file mandocdb.c remains to be audited. --- roff.c | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) (limited to 'roff.c') diff --git a/roff.c b/roff.c index fee1a8c1..07480a12 100644 --- a/roff.c +++ b/roff.c @@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.208 2014/04/20 19:40:13 schwarze Exp $ */ +/* $Id: roff.c,v 1.209 2014/04/23 16:08:33 schwarze Exp $ */ /* * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons * Copyright (c) 2010-2014 Ingo Schwarze @@ -490,14 +490,13 @@ roff_res(struct roff *r, char **bufp, size_t *szp, int ln, int pos) { char ubuf[24]; /* buffer to print the number */ const char *start; /* start of the string to process */ - const char *stesc; /* start of an escape sequence ('\\') */ + char *stesc; /* start of an escape sequence ('\\') */ const char *stnam; /* start of the name, after "[(*" */ const char *cp; /* end of the name, e.g. before ']' */ const char *res; /* the string to be substituted */ char *nbuf; /* new buffer to copy bufp to */ size_t maxl; /* expected length of the escape name */ size_t naml; /* actual length of the escape name */ - size_t ressz; /* size of the replacement string */ int expand_count; /* to avoid infinite loops */ int npos; /* position in numeric expression */ int irc; /* return code from roff_evalnum() */ @@ -520,7 +519,7 @@ roff_res(struct roff *r, char **bufp, size_t *szp, int ln, int pos) break; if (0 == (stesc - cp) % 2) { - stesc = cp; + stesc = (char *)cp; continue; } @@ -628,21 +627,17 @@ roff_res(struct roff *r, char **bufp, size_t *szp, int ln, int pos) ln, (int)(stesc - *bufp), NULL); res = ""; } - ressz = strlen(res); /* Replace the escape sequence by the string. */ - *szp += ressz + 1; - nbuf = mandoc_malloc(*szp); - - strlcpy(nbuf, *bufp, (size_t)(stesc - *bufp + 1)); - strlcat(nbuf, res, *szp); - strlcat(nbuf, cp, *szp); + *stesc = '\0'; + *szp = mandoc_asprintf(&nbuf, "%s%s%s", + *bufp, res, cp) + 1; /* Prepare for the next replacement. */ start = nbuf + pos; - stesc = nbuf + (stesc - *bufp) + ressz; + stesc = nbuf + (stesc - *bufp) + strlen(res); free(*bufp); *bufp = nbuf; } @@ -1990,14 +1985,9 @@ roff_userdef(ROFF_ARGS) cp += 2; continue; } - - *szp = strlen(n1) - 3 + strlen(arg[i]) + 1; - n2 = mandoc_malloc(*szp); - - strlcpy(n2, n1, (size_t)(cp - n1 + 1)); - strlcat(n2, arg[i], *szp); - strlcat(n2, cp + 3, *szp); - + *cp = '\0'; + *szp = mandoc_asprintf(&n2, "%s%s%s", + n1, arg[i], cp + 3) + 1; cp = n2 + (cp - n1); free(n1); n1 = n2; -- cgit v1.2.3