aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2011-11-09 22:50:36 +0100
committerDaniel Stenberg <daniel@haxx.se>2011-11-11 19:57:49 +0100
commit10120e6ab545c18a89f8f23006322e2aa23fa15d (patch)
treec59fbfaff3c4e03636952544a93aaf373d9c602a
parent082e8a3b03d2c47d237994675bface127ab23c29 (diff)
progress_cb: avoid buffer overflow
The progress bar output function would blindly use the terminal width without bounds checking. When using a very wide terminal that caused a buffer overflow and segfault. We now limit the max bar with to 255 columns, and I simplified the code to avoid an extra snprintf and buffer. Bug: http://curl.haxx.se/bug/view.cgi?id=3435710 Reported by: Alexey Zakhlestin
-rw-r--r--src/tool_cb_prg.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/src/tool_cb_prg.c b/src/tool_cb_prg.c
index e141f1e65..457c1a75d 100644
--- a/src/tool_cb_prg.c
+++ b/src/tool_cb_prg.c
@@ -36,6 +36,8 @@
** callback for CURLOPT_PROGRESSFUNCTION
*/
+#define MAX_BARLENGTH 256
+
int tool_progress_cb(void *clientp,
double dltotal, double dlnow,
double ultotal, double ulnow)
@@ -43,8 +45,7 @@ int tool_progress_cb(void *clientp,
/* The original progress-bar source code was written for curl by Lars Aas,
and this new edition inherits some of his concepts. */
- char line[256];
- char outline[256];
+ char line[MAX_BARLENGTH+1];
char format[40];
double frac;
double percent;
@@ -82,12 +83,13 @@ int tool_progress_cb(void *clientp,
percent = frac * 100.0f;
barwidth = bar->width - 7;
num = (int) (((double)barwidth) * frac);
+ if(num > MAX_BARLENGTH)
+ num = MAX_BARLENGTH;
for(i = 0; i < num; i++)
line[i] = '#';
line[i] = '\0';
- snprintf(format, sizeof(format), "%%-%ds %%5.1f%%%%", barwidth);
- snprintf(outline, sizeof(outline), format, line, percent);
- fprintf(bar->out, "\r%s", outline);
+ snprintf(format, sizeof(format), "\r%%-%ds %%5.1f%%%%", barwidth);
+ fprintf(bar->out, format, line, percent);
}
fflush(bar->out);
bar->prev = point;