tui/SOURCES/0007-Fix-memory-corruption-with-invalid-smush-amount.patch

From 58eec2948f12d0f92f4804c72d92448b2369b8ec Mon Sep 17 00:00:00 2001
From: Lorenzo Gatti <lorenzo.gatti@gmail.com>
Date: Sun, 10 May 2015 18:03:35 -0300
Subject: [PATCH 7/8] Fix memory corruption with invalid smush amount

https://github.com/cmatsuoka/figlet/issues/4
lorenzogatti commented on Oct 28, 2014:

Another case of buffer overrun in the same function, again for right to left
layout: smushing away more characters that are contained in the outputline[]
buffers, with STRCAT being passed an invalid pointer (past the end of an
outputline[] buffer).

How is it possible to smush more characters than the length of the buffer? A
single character can be wider than the current line, but smushamt() doesn't
limit the amount of smushing to the length of the current line. Enormous
amounts of smushing are possible with space-rich fonts, such as the Obanner
collection.

Fixed in smushamt() by limiting the range of the result.

Test case:

$ figlet -f obanner132.flf -R -x -o -p -w 77 "Banner, o Banner"

--

Original fix by Lorenzo Gatti, reworked by Claudio Matsuoka.

Signed-off-by: Claudio Matsuoka <cmatsuoka@gmail.com>
---
 figlet.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/figlet.c b/figlet.c
index 9274f7f..04ba6d0 100644
--- a/figlet.c
+++ b/figlet.c
@@ -1452,6 +1452,9 @@ int smushamt()
   maxsmush = currcharwidth;
   for (row=0;row<charheight;row++) {
     if (right2left) {
+      if (maxsmush>STRLEN(outputline[row])) {
+        maxsmush=STRLEN(outputline[row]);
+        }
       for (charbd=STRLEN(currchar[row]);
         ch1=currchar[row][charbd],(charbd>0&&(!ch1||ch1==' '));charbd--) ;
       for (linebd=0;ch2=outputline[row][linebd],ch2==' ';linebd++) ;
-- 
2.5.0