diff options
author | Daniel Stenberg <daniel@haxx.se> | 2011-11-09 22:50:36 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2011-11-11 19:57:49 +0100 |
commit | 10120e6ab545c18a89f8f23006322e2aa23fa15d (patch) | |
tree | c59fbfaff3c4e03636952544a93aaf373d9c602a | |
parent | 082e8a3b03d2c47d237994675bface127ab23c29 (diff) |
progress_cb: avoid buffer overflow
The progress bar output function would blindly use the terminal width
without bounds checking. When using a very wide terminal that caused a
buffer overflow and segfault.
We now limit the max bar with to 255 columns, and I simplified the code
to avoid an extra snprintf and buffer.
Bug: http://curl.haxx.se/bug/view.cgi?id=3435710
Reported by: Alexey Zakhlestin
-rw-r--r-- | src/tool_cb_prg.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/tool_cb_prg.c b/src/tool_cb_prg.c index e141f1e65..457c1a75d 100644 --- a/src/tool_cb_prg.c +++ b/src/tool_cb_prg.c @@ -36,6 +36,8 @@ ** callback for CURLOPT_PROGRESSFUNCTION */ +#define MAX_BARLENGTH 256 + int tool_progress_cb(void *clientp, double dltotal, double dlnow, double ultotal, double ulnow) @@ -43,8 +45,7 @@ int tool_progress_cb(void *clientp, /* The original progress-bar source code was written for curl by Lars Aas, and this new edition inherits some of his concepts. */ - char line[256]; - char outline[256]; + char line[MAX_BARLENGTH+1]; char format[40]; double frac; double percent; @@ -82,12 +83,13 @@ int tool_progress_cb(void *clientp, percent = frac * 100.0f; barwidth = bar->width - 7; num = (int) (((double)barwidth) * frac); + if(num > MAX_BARLENGTH) + num = MAX_BARLENGTH; for(i = 0; i < num; i++) line[i] = '#'; line[i] = '\0'; - snprintf(format, sizeof(format), "%%-%ds %%5.1f%%%%", barwidth); - snprintf(outline, sizeof(outline), format, line, percent); - fprintf(bar->out, "\r%s", outline); + snprintf(format, sizeof(format), "\r%%-%ds %%5.1f%%%%", barwidth); + fprintf(bar->out, format, line, percent); } fflush(bar->out); bar->prev = point; |