Cygwin: console: Prevent buffer overrun.

- This patch prevent potential buffer overrun in the code handling escape sequences.
2020-03-02 10:12:56 +09:00 · 2020-03-02 10:12:56 +09:00 · 750cd6e5b2
parent 10d8c2782d
commit 750cd6e5b2
1 changed files with 8 additions and 10 deletions
--- a/winsup/cygwin/fhandler_console.cc
+++ b/winsup/cygwin/fhandler_console.cc
@ -3094,7 +3094,8 @@ fhandler_console::write (const void *vsrc, size_t len)
 	case gotarg1:
 	  if (isdigit (*src))
 	    {
-	      con.args[con.nargs] = con.args[con.nargs] * 10 + *src - '0';
+	      if (con.nargs < MAXARGS)
+		con.args[con.nargs] = con.args[con.nargs] * 10 + *src - '0';
 	      wpbuf_put (*src);
 	      src++;
 	    }
@ -3102,9 +3103,8 @@ fhandler_console::write (const void *vsrc, size_t len)
 	    {
 	      wpbuf_put (*src);
 	      src++;
-	      con.nargs++;
-	      if (con.nargs > MAXARGS)
-		con.nargs--;
+	      if (con.nargs < MAXARGS)
+		con.nargs++;
 	    }
 	  else if (*src == ' ')
 	    {
@ -3117,9 +3117,8 @@ fhandler_console::write (const void *vsrc, size_t len)
 	    con.state = gotcommand;
 	  break;
 	case gotcommand:
-	  con.nargs ++;
-	  if (con.nargs > MAXARGS)
-	    con.nargs--;
+	  if (con.nargs < MAXARGS)
+	    con.nargs++;
 	  char_command (*src++);
 	  con.state = normal;
 	  wpixput = 0;
@ -3183,9 +3182,8 @@ fhandler_console::write (const void *vsrc, size_t len)
 	    {
 	      con.state = gotarg1;
 	      wpbuf_put (*src);
-	      con.nargs++;
-	      if (con.nargs > MAXARGS)
-		con.nargs--;
+	      if (con.nargs < MAXARGS)
+		con.nargs++;
 	      src++;
 	    }
 	  else if (isalpha (*src))