Fix memory corruption with invalid smush amount
https://github.com/cmatsuoka/figlet/issues/4 lorenzogatti commented on Oct 28, 2014: Another case of buffer overrun in the same function, again for right to left layout: smushing away more characters that are contained in the outputline[] buffers, with STRCAT being passed an invalid pointer (past the end of an outputline[] buffer). How is it possible to smush more characters than the length of the buffer? A single character can be wider than the current line, but smushamt() doesn't limit the amount of smushing to the length of the current line. Enormous amounts of smushing are possible with space-rich fonts, such as the Obanner collection. Fixed in smushamt() by limiting the range of the result. Test case: $ figlet -f obanner132.flf -R -x -o -p -w 77 "Banner, o Banner" -- Original fix by Lorenzo Gatti, reworked by Claudio Matsuoka. Signed-off-by: Claudio Matsuoka <cmatsuoka@gmail.com>
This commit is contained in:
parent
89693cb2ab
commit
58eec2948f
3
figlet.c
3
figlet.c
@ -1452,6 +1452,9 @@ int smushamt()
|
||||
maxsmush = currcharwidth;
|
||||
for (row=0;row<charheight;row++) {
|
||||
if (right2left) {
|
||||
if (maxsmush>STRLEN(outputline[row])) {
|
||||
maxsmush=STRLEN(outputline[row]);
|
||||
}
|
||||
for (charbd=STRLEN(currchar[row]);
|
||||
ch1=currchar[row][charbd],(charbd>0&&(!ch1||ch1==' '));charbd--) ;
|
||||
for (linebd=0;ch2=outputline[row][linebd],ch2==' ';linebd++) ;
|
||||
|
Loading…
x
Reference in New Issue
Block a user