Fix memory corruption with invalid smush amount

#4 lorenzogatti commented on Oct 28, 2014: Another case of buffer overrun in the same function, again for right to left layout: smushing away more characters that are contained in the outputline[] buffers, with STRCAT being passed an invalid pointer (past the end of an outputline[] buffer). How is it possible to smush more characters than the length of the buffer? A single character can be wider than the current line, but smushamt() doesn't limit the amount of smushing to the length of the current line. Enormous amounts of smushing are possible with space-rich fonts, such as the Obanner collection. Fixed in smushamt() by limiting the range of the result. Test case: $ figlet -f obanner132.flf -R -x -o -p -w 77 "Banner, o Banner" -- Original fix by Lorenzo Gatti, reworked by Claudio Matsuoka. Signed-off-by: Claudio Matsuoka <[email protected]>
cmatsuoka · May 10, 2015 · 58eec29 · 58eec29
1 parent 89693cb
commit 58eec29
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/figlet.c b/figlet.c
@@ -1452,6 +1452,9 @@ int smushamt()
   maxsmush = currcharwidth;
   for (row=0;row<charheight;row++) {
     if (right2left) {
+      if (maxsmush>STRLEN(outputline[row])) {
+        maxsmush=STRLEN(outputline[row]);
+        }
       for (charbd=STRLEN(currchar[row]);
         ch1=currchar[row][charbd],(charbd>0&&(!ch1||ch1==' '));charbd--) ;
       for (linebd=0;ch2=outputline[row][linebd],ch2==' ';linebd++) ;