diff options
| author |   Ingo Schwarze <schwarze@openbsd.org> | 2014-04-23 16:08:33 +0000 |
|---|---|---|
| committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-04-23 16:08:33 +0000 |
| commit | e1bb09be17d41880b391cdcbe9d968f8964928ff (patch) | |
| tree | eeb097d0331817dc1ea9f7b52f2930635bda4387 /roff.c | |
| parent | 1f555653eb03957679b5749f7ac779126c3c2627 (diff) | |
| download | mandoc-e1bb09be17d41880b391cdcbe9d968f8964928ff.tar.gz mandoc-e1bb09be17d41880b391cdcbe9d968f8964928ff.tar.zst mandoc-e1bb09be17d41880b391cdcbe9d968f8964928ff.zip | |
Audit strlcpy(3)/strlcat(3) usage.
* Repair three instances of silent truncation, use asprintf(3).
* Change two instances of strlen(3)+malloc(3)+strlcpy(3)+strlcat(3)+...
to use asprintf(3) instead to make them less error prone.
* Cast the return value of four instances where the destination
buffer is known to be large enough to (void).
* Completely remove three useless instances of strlcpy(3)/strlcat(3).
* Mark two places in -Thtml with XXX that can cause information loss
and crashes but are not easy to fix, requiring design changes of
some internal interfaces.
* The file mandocdb.c remains to be audited.
Diffstat (limited to 'roff.c')
| -rw-r--r-- | roff.c | 30 |
1 files changed, 10 insertions, 20 deletions
@@ -1,4 +1,4 @@ -/* $Id: roff.c,v 1.208 2014/04/20 19:40:13 schwarze Exp $ */ +/* $Id: roff.c,v 1.209 2014/04/23 16:08:33 schwarze Exp $ */ /* * Copyright (c) 2010, 2011, 2012 Kristaps Dzonsons <kristaps@bsd.lv> * Copyright (c) 2010-2014 Ingo Schwarze <schwarze@openbsd.org> @@ -490,14 +490,13 @@ roff_res(struct roff *r, char **bufp, size_t *szp, int ln, int pos) { char ubuf[24]; /* buffer to print the number */ const char *start; /* start of the string to process */ - const char *stesc; /* start of an escape sequence ('\\') */ + char *stesc; /* start of an escape sequence ('\\') */ const char *stnam; /* start of the name, after "[(*" */ const char *cp; /* end of the name, e.g. before ']' */ const char *res; /* the string to be substituted */ char *nbuf; /* new buffer to copy bufp to */ size_t maxl; /* expected length of the escape name */ size_t naml; /* actual length of the escape name */ - size_t ressz; /* size of the replacement string */ int expand_count; /* to avoid infinite loops */ int npos; /* position in numeric expression */ int irc; /* return code from roff_evalnum() */ @@ -520,7 +519,7 @@ roff_res(struct roff *r, char **bufp, size_t *szp, int ln, int pos) break; if (0 == (stesc - cp) % 2) { - stesc = cp; + stesc = (char *)cp; continue; } @@ -628,21 +627,17 @@ roff_res(struct roff *r, char **bufp, size_t *szp, int ln, int pos) ln, (int)(stesc - *bufp), NULL); res = ""; } - ressz = strlen(res); /* Replace the escape sequence by the string. */ - *szp += ressz + 1; - nbuf = mandoc_malloc(*szp); - - strlcpy(nbuf, *bufp, (size_t)(stesc - *bufp + 1)); - strlcat(nbuf, res, *szp); - strlcat(nbuf, cp, *szp); + *stesc = '\0'; + *szp = mandoc_asprintf(&nbuf, "%s%s%s", + *bufp, res, cp) + 1; /* Prepare for the next replacement. */ start = nbuf + pos; - stesc = nbuf + (stesc - *bufp) + ressz; + stesc = nbuf + (stesc - *bufp) + strlen(res); free(*bufp); *bufp = nbuf; } @@ -1990,14 +1985,9 @@ roff_userdef(ROFF_ARGS) cp += 2; continue; } - - *szp = strlen(n1) - 3 + strlen(arg[i]) + 1; - n2 = mandoc_malloc(*szp); - - strlcpy(n2, n1, (size_t)(cp - n1 + 1)); - strlcat(n2, arg[i], *szp); - strlcat(n2, cp + 3, *szp); - + *cp = '\0'; + *szp = mandoc_asprintf(&n2, "%s%s%s", + n1, arg[i], cp + 3) + 1; cp = n2 + (cp - n1); free(n1); n1 = n2; |