From b8bda67f304b7c70dee891b7ca660036793c2a4b Mon Sep 17 00:00:00 2001 From: nicm Date: Fri, 11 Apr 2014 19:35:54 +0000 Subject: Don't blindly increase offsets by the return value of snprintf, if there wasn't enough space this will go off the end. Instead clamp to the available space. Fixes crash reported by Julien Rebetez. --- window-copy.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'window-copy.c') diff --git a/window-copy.c b/window-copy.c index 6e4d6704..c33a4c3b 100644 --- a/window-copy.c +++ b/window-copy.c @@ -1194,8 +1194,8 @@ window_copy_write_line( screen_write_puts(ctx, &gc, "%s", hdr); } else if (py == last && data->inputtype != WINDOW_COPY_OFF) { limit = sizeof hdr; - if (limit > screen_size_x(s)) - limit = screen_size_x(s); + if (limit > screen_size_x(s) + 1) + limit = screen_size_x(s) + 1; if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) { xoff = size = xsnprintf(hdr, limit, "Repeat: %u", data->numprefix); @@ -1208,10 +1208,12 @@ window_copy_write_line( } else size = 0; - screen_write_cursormove(ctx, xoff, py); - screen_write_copy(ctx, data->backing, xoff, - (screen_hsize(data->backing) - data->oy) + py, - screen_size_x(s) - size, 1); + if (size < screen_size_x(s)) { + screen_write_cursormove(ctx, xoff, py); + screen_write_copy(ctx, data->backing, xoff, + (screen_hsize(data->backing) - data->oy) + py, + screen_size_x(s) - size, 1); + } if (py == data->cy && data->cx == screen_size_x(s)) { memcpy(&gc, &grid_default_cell, sizeof gc); -- cgit