Be more careful with string array bounds! Found by LLVM+Clang scan-build.

2012-12-04 01:11:17 +00:00 · 2012-12-04 01:11:17 +00:00 · 9d2fefeac4
parent 5a70000aaf
commit 9d2fefeac4
2 changed files with 8 additions and 6 deletions
--- a/shf.c
+++ b/shf.c
@ -24,7 +24,7 @@

 #include "sh.h"

-__RCSID("$MirOS: src/bin/mksh/shf.c,v 1.47 2012/10/03 16:16:15 tg Exp $");
+__RCSID("$MirOS: src/bin/mksh/shf.c,v 1.48 2012/12/04 01:11:16 tg Exp $");

 /* flags to shf_emptybuf() */
 #define EB_READSW	0x01	/* about to switch to reading */
@ -971,14 +971,13 @@ shf_vfprintf(struct shf *shf, const char *fmt, va_list args)

 		case 'c':
 			flags &= ~FL_DOT;
-			numbuf[0] = (char)(VA(int));
-			s = numbuf;
-			len = 1;
-			break;
+			c = (char)(VA(int));
+			/* FALLTHROUGH */

 		case '%':
 		default:
 			numbuf[0] = c;
+			numbuf[1] = 0;
 			s = numbuf;
 			len = 1;
 			break;
--- a/var.c
+++ b/var.c
@ -27,7 +27,7 @@
 #include <sys/sysctl.h>
 #endif

-__RCSID("$MirOS: src/bin/mksh/var.c,v 1.162 2012/12/01 01:36:30 tg Exp $");
+__RCSID("$MirOS: src/bin/mksh/var.c,v 1.163 2012/12/04 01:11:17 tg Exp $");

 /*-
 * Variables
@ -615,10 +615,13 @@ formatstr(struct tbl *vp, const char *s)
 				--slen;
 			}
 			if (vp->flag & ZEROFIL && vp->flag & INTEGER) {
+				if (!s[0] || !s[1])
+					goto uhm_no;
 				if (s[1] == '#')
 					n = 2;
 				else if (s[2] == '#')
 					n = 3;
+ uhm_no:
 				if (vp->u2.field <= n)
 					n = 0;
 			}