From 08e9b19a4d03c0460760a69df3eff400acd69e32 Mon Sep 17 00:00:00 2001 From: millert Date: Wed, 27 Sep 2023 21:06:33 +0000 Subject: [PATCH] Use a dynamically-allocated line buffer and resize as needed. Fixes a buffer overflow for lines over 2048 bytes. Problem reported by Crystal Kolipe. OK deraadt@ --- usr.bin/deroff/deroff.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/usr.bin/deroff/deroff.c b/usr.bin/deroff/deroff.c index b4b560fa8d26..acb33b750518 100644 --- a/usr.bin/deroff/deroff.c +++ b/usr.bin/deroff/deroff.c @@ -1,4 +1,4 @@ -/* $OpenBSD: deroff.c,v 1.17 2023/03/08 04:43:10 guenther Exp $ */ +/* $OpenBSD: deroff.c,v 1.18 2023/09/27 21:06:33 millert Exp $ */ /*- * Copyright (c) 1988, 1993 @@ -135,7 +135,8 @@ int keepblock; /* keep blocks of text; normally false when msflag */ char chars[128]; /* SPECIAL, PUNCT, APOS, DIGIT, or LETTER */ -char line[LINE_MAX]; +size_t linesz; +char *line; char *lp; int c; @@ -342,6 +343,10 @@ main(int ac, char **av) files[0] = infile; filesp = &files[0]; + linesz = LINE_MAX; + if ((line = malloc(linesz)) == NULL) + err(1, NULL); + for (i = 'a'; i <= 'z'; ++i) chars[i] = LETTER; for (i = 'A'; i <= 'Z'; ++i) @@ -477,7 +482,15 @@ regline(void (*pfunc)(char *, int), int constant) line[0] = c; lp = line; - while (lp - line < sizeof(line)) { + for (;;) { + if (lp - line == linesz - 1) { + char *newline = reallocarray(line, linesz, 2); + if (newline == NULL) + err(1, NULL); + lp = newline + (lp - line); + line = newline; + linesz *= 2; + } if (c == '\\') { *lp = ' '; backsl();