You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
51 lines
1.7 KiB
51 lines
1.7 KiB
From 58eec2948f12d0f92f4804c72d92448b2369b8ec Mon Sep 17 00:00:00 2001 |
|
From: Lorenzo Gatti <lorenzo.gatti@gmail.com> |
|
Date: Sun, 10 May 2015 18:03:35 -0300 |
|
Subject: [PATCH 7/8] Fix memory corruption with invalid smush amount |
|
|
|
https://github.com/cmatsuoka/figlet/issues/4 |
|
lorenzogatti commented on Oct 28, 2014: |
|
|
|
Another case of buffer overrun in the same function, again for right to left |
|
layout: smushing away more characters that are contained in the outputline[] |
|
buffers, with STRCAT being passed an invalid pointer (past the end of an |
|
outputline[] buffer). |
|
|
|
How is it possible to smush more characters than the length of the buffer? A |
|
single character can be wider than the current line, but smushamt() doesn't |
|
limit the amount of smushing to the length of the current line. Enormous |
|
amounts of smushing are possible with space-rich fonts, such as the Obanner |
|
collection. |
|
|
|
Fixed in smushamt() by limiting the range of the result. |
|
|
|
Test case: |
|
|
|
$ figlet -f obanner132.flf -R -x -o -p -w 77 "Banner, o Banner" |
|
|
|
-- |
|
|
|
Original fix by Lorenzo Gatti, reworked by Claudio Matsuoka. |
|
|
|
Signed-off-by: Claudio Matsuoka <cmatsuoka@gmail.com> |
|
--- |
|
figlet.c | 3 +++ |
|
1 file changed, 3 insertions(+) |
|
|
|
diff --git a/figlet.c b/figlet.c |
|
index 9274f7f..04ba6d0 100644 |
|
--- a/figlet.c |
|
+++ b/figlet.c |
|
@@ -1452,6 +1452,9 @@ int smushamt() |
|
maxsmush = currcharwidth; |
|
for (row=0;row<charheight;row++) { |
|
if (right2left) { |
|
+ if (maxsmush>STRLEN(outputline[row])) { |
|
+ maxsmush=STRLEN(outputline[row]); |
|
+ } |
|
for (charbd=STRLEN(currchar[row]); |
|
ch1=currchar[row][charbd],(charbd>0&&(!ch1||ch1==' '));charbd--) ; |
|
for (linebd=0;ch2=outputline[row][linebd],ch2==' ';linebd++) ; |
|
-- |
|
2.5.0 |
|
|
|
|