pacman/util.c: fix potential buffer overflow in string_length

A potential buffer overflow could occur if a detected terminal escape sequence was not for a terminal colour (i.e. did not contain an "m"). Fix the potential buffer overflow while explicitly detecting only terminal colour escape sequences. Any other escape sequence is unexpected, and just gets pushed to the terminal. Signed-off-by: Allan McRae <allan@archlinux.org>
2024-01-26 17:06:46 +10:00 · 2024-01-26 17:06:46 +10:00 · c9c56be396
commit c9c56be396
parent 1d1bb6fa1a
1 changed files with 19 additions and 9 deletions
--- a/src/pacman/util.c
+++ b/src/pacman/util.c
@ -34,6 +34,7 @@
 #include <limits.h>
 #include <wchar.h>
 #include <wctype.h>
+#include <ctype.h>
 #ifdef HAVE_TERMIOS_H
 #include <termios.h> /* tcflush */
 #endif
@ -448,24 +449,33 @@ static char *concat_list(alpm_list_t *lst, formatfn fn)

 static size_t string_length(const char *s)
 {
-	int len;
+	size_t len;
 	wchar_t *wcstr;

 	if(!s || s[0] == '\0') {
 		return 0;
 	}
-	if(strstr(s, "\033")) {
+	if(strchr(s, '\033')) {
 		char* replaced = malloc(sizeof(char) * strlen(s));
-		int iter = 0;
+		size_t iter = 0;
 		for(; *s; s++) {
-			if(*s == '\033') {
-				while(*s != 'm') {
-					s++;
+			if(*s == '\033' && *(s+1) == '[' && isdigit(s+2)) {
+				/* handle terminal colour escape sequences */
+				const char* t = s + 3;
+
+				while(isdigit(*t) || *t == ';') {
+					t++;
+				}
+
+				if(*t == 'm') {
+					/* end of terminal colour sequence */
+					s = t++;
+					continue;
 				}
-			} else {
-				replaced[iter] = *s;
-				iter++;
 			}
+
+			replaced[iter] = *s;
+			iter++;
 		}
 		replaced[iter] = '\0';
 		len = iter;