Fix memory corruption with invalid smush amount

https://github.com/cmatsuoka/figlet/issues/4
lorenzogatti commented on Oct 28, 2014:

Another case of buffer overrun in the same function, again for right to left
layout: smushing away more characters that are contained in the outputline[]
buffers, with STRCAT being passed an invalid pointer (past the end of an
outputline[] buffer).

How is it possible to smush more characters than the length of the buffer? A
single character can be wider than the current line, but smushamt() doesn't
limit the amount of smushing to the length of the current line. Enormous
amounts of smushing are possible with space-rich fonts, such as the Obanner
collection.

Fixed in smushamt() by limiting the range of the result.

Test case:

$ figlet -f obanner132.flf -R -x -o -p -w 77 "Banner, o Banner"

--

Original fix by Lorenzo Gatti, reworked by Claudio Matsuoka.

Signed-off-by: Claudio Matsuoka <cmatsuoka@gmail.com>
This commit is contained in:
Lorenzo Gatti 2015-05-10 18:03:35 -03:00 committed by Claudio Matsuoka
parent 89693cb2ab
commit 58eec2948f

@ -1452,6 +1452,9 @@ int smushamt()
maxsmush = currcharwidth;
for (row=0;row<charheight;row++) {
if (right2left) {
if (maxsmush>STRLEN(outputline[row])) {
maxsmush=STRLEN(outputline[row]);
}
for (charbd=STRLEN(currchar[row]);
ch1=currchar[row][charbd],(charbd>0&&(!ch1||ch1==' '));charbd--) ;
for (linebd=0;ch2=outputline[row][linebd],ch2==' ';linebd++) ;