From a1ddcc07866e65a94c5ba412d2221b95794a4c0f Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Mon, 16 Nov 2009 02:15:13 +0100 Subject: [PATCH] fix potential buffer overflow in parse_conky_vars() --- src/conky.c | 17 +++++++++-------- src/conky.h | 6 +++--- src/exec.c | 17 ++++++++++------- src/exec.h | 2 +- src/llua.c | 2 +- 5 files changed, 24 insertions(+), 20 deletions(-) diff --git a/src/conky.c b/src/conky.c index a3e54de7..c8cc5004 100644 --- a/src/conky.c +++ b/src/conky.c @@ -714,10 +714,11 @@ static void extract_variable_text(const char *p) extract_variable_text_internal(&global_root_object, p); } -void parse_conky_vars(struct text_object *root, const char *txt, char *p, struct information *cur) +void parse_conky_vars(struct text_object *root, const char *txt, + char *p, int p_max_size, struct information *cur) { extract_variable_text_internal(root, txt); - generate_text_internal(p, max_user_text, *root, cur); + generate_text_internal(p, p_max_size, *root, cur); } static inline void format_media_player_time(char *buf, const int size, @@ -1190,7 +1191,7 @@ void generate_text_internal(char *p, int p_max_size, } #endif /* IMLIB2 */ OBJ(eval) { - evaluate(obj->data.s, p); + evaluate(obj->data.s, p, p_max_size); } OBJ(exec) { print_exec(obj, p, p_max_size); @@ -1226,7 +1227,7 @@ void generate_text_internal(char *p, int p_max_size, print_execi(obj, p, p_max_size); } OBJ(execpi) { - print_execpi(obj, p); + print_execpi(obj, p, p_max_size); } OBJ(texeci) { print_texeci(obj, p, p_max_size); @@ -1320,7 +1321,7 @@ void generate_text_internal(char *p, int p_max_size, OBJ(lua_parse) { char *str = llua_getstring(obj->data.s); if (str) { - evaluate(str, p); + evaluate(str, p, p_max_size); free(str); } } @@ -2610,15 +2611,15 @@ void generate_text_internal(char *p, int p_max_size, #endif /* X11 */ } -void evaluate(const char *text, char *buffer) +void evaluate(const char *text, char *p, int p_max_size) { struct information *tmp_info; struct text_object subroot; tmp_info = malloc(sizeof(struct information)); memcpy(tmp_info, &info, sizeof(struct information)); - parse_conky_vars(&subroot, text, buffer, tmp_info); - DBGP("evaluated '%s' to '%s'", text, buffer); + parse_conky_vars(&subroot, text, p, p_max_size, tmp_info); + DBGP("evaluated '%s' to '%s'", text, p); free_text_objects(&subroot, 1); free(tmp_info); diff --git a/src/conky.h b/src/conky.h index 54e505e8..78782884 100644 --- a/src/conky.h +++ b/src/conky.h @@ -320,9 +320,9 @@ int spaced_print(char *, int, const char *, int, ...) extern int inotify_fd; /* defined in conky.c - * evaluates 'text' and places the result in 'buffer' + * evaluates 'text' and places the result in 'p' of max length 'p_max_size' */ -void evaluate(const char *text, char *buffer); +void evaluate(const char *text, char *p, int p_max_size); /* maximum size of config TEXT buffer, i.e. below TEXT line. */ extern unsigned int max_user_text; @@ -359,7 +359,7 @@ void set_update_interval(double interval); #define UNUSED_ATTR __attribute__ ((unused)) void parse_conky_vars(struct text_object *, const char *, - char *, struct information *); + char *, int, struct information *); void generate_text_internal(char *, int, struct text_object, struct information *); diff --git a/src/exec.c b/src/exec.c index 1d80c370..575297e2 100644 --- a/src/exec.c +++ b/src/exec.c @@ -266,15 +266,20 @@ void print_execp(struct text_object *obj, char *p, int p_max_size) { struct information *tmp_info; struct text_object subroot; + char *buf; - read_exec(obj->data.s, p, p_max_size); + buf = malloc(text_buffer_size); + memset(buf, 0, text_buffer_size); + + read_exec(obj->data.s, buf, text_buffer_size); tmp_info = malloc(sizeof(struct information)); memcpy(tmp_info, &info, sizeof(struct information)); - parse_conky_vars(&subroot, p, p, tmp_info); + parse_conky_vars(&subroot, buf, p, p_max_size, tmp_info); free_text_objects(&subroot, 1); free(tmp_info); + free(buf); } void print_execi(struct text_object *obj, char *p, int p_max_size) @@ -293,7 +298,7 @@ void print_execi(struct text_object *obj, char *p, int p_max_size) snprintf(p, p_max_size, "%s", ed->buffer); } -void print_execpi(struct text_object *obj, char *p) +void print_execpi(struct text_object *obj, char *p, int p_max_size) { struct execi_data *ed = obj->data.opaque; struct text_object subroot; @@ -305,9 +310,7 @@ void print_execpi(struct text_object *obj, char *p) tmp_info = malloc(sizeof(struct information)); memcpy(tmp_info, &info, sizeof(struct information)); - if (!time_to_update(ed)) { - parse_conky_vars(&subroot, ed->buffer, p, tmp_info); - } else { + if (time_to_update(ed)) { char *output; int length; FILE *fp = pid_popen(ed->cmd, "r", &childpid); @@ -324,9 +327,9 @@ void print_execpi(struct text_object *obj, char *p) output[length - 1] = '\0'; } - parse_conky_vars(&subroot, ed->buffer, p, tmp_info); ed->last_update = current_update_time; } + parse_conky_vars(&subroot, ed->buffer, p, p_max_size, tmp_info); free_text_objects(&subroot, 1); free(tmp_info); } diff --git a/src/exec.h b/src/exec.h index 193399ef..dd88b211 100644 --- a/src/exec.h +++ b/src/exec.h @@ -40,7 +40,7 @@ void scan_execgraph_arg(struct text_object *, const char *); void print_exec(struct text_object *, char *, int); void print_execp(struct text_object *, char *, int); void print_execi(struct text_object *, char *, int); -void print_execpi(struct text_object *, char *); +void print_execpi(struct text_object *, char *, int); void print_texeci(struct text_object *, char *, int); #ifdef X11 void print_execgauge(struct text_object *, char *, int); diff --git a/src/llua.c b/src/llua.c index 67543fdf..c3ca99ee 100644 --- a/src/llua.c +++ b/src/llua.c @@ -59,7 +59,7 @@ static int llua_conky_parse(lua_State *L) lua_error(L); } str = strdup(lua_tostring(L, 1)); - evaluate(str, buf); + evaluate(str, buf, max_user_text); lua_pushstring(L, buf); free(str); free(buf);