Fix config buffer overflow and logic

author: Ian Fan <ianfan0@gmail.com> 2018-07-15 14:59:54 +0100
committer: Ian Fan <ianfan0@gmail.com> 2018-07-15 14:59:54 +0100
commit: e6209afcd6923d9803c3ea6bacf3f9322a7a7450 (patch)
tree: c64290c0938c5ffca827806b60c2e1fe8d4ae5be /sway/config.c
parent: Merge pull request #2275 from RyanDwyer/transactionise-focus (diff)
download: sway-e6209afcd6923d9803c3ea6bacf3f9322a7a7450.tar.gz
sway-e6209afcd6923d9803c3ea6bacf3f9322a7a7450.tar.zst
sway-e6209afcd6923d9803c3ea6bacf3f9322a7a7450.zip
1 files changed, 19 insertions, 12 deletions
diff --git a/sway/config.c b/sway/config.c
index 636f5f57..b8c874e6 100644
--- a/sway/config.c
+++ b/sway/config.c
@@ -560,8 +560,8 @@ static char *expand_line(const char *block, const char *line, bool add_brace) {
 bool read_config(FILE *file, struct sway_config *config) {
        bool reading_main_config = false;
-        char *this_config = NULL, *config_pos;
+        char *this_config = NULL;
-        long config_size = 0;
+        unsigned long config_size = 0;
        if (config->current_config == NULL) {
                reading_main_config = true;
@@ -569,7 +569,7 @@ bool read_config(FILE *file, struct sway_config *config) {
                config_size = ftell(file);
                rewind(file);
-                config_pos = this_config = malloc(config_size + 1);
+                config->current_config = this_config = calloc(1, config_size + 1);
                if (this_config == NULL) {
                        wlr_log(WLR_ERROR, "Unable to allocate buffer for config contents");
                        return false;
@@ -580,6 +580,7 @@ bool read_config(FILE *file, struct sway_config *config) {
        int line_number = 0;
        char *line;
        list_t *stack = create_list();
+        size_t read = 0;
        while (!feof(file)) {
                char *block = stack->length ? stack->items[0] : NULL;
                line = read_line(file);
@@ -590,10 +591,21 @@ bool read_config(FILE *file, struct sway_config *config) {
                wlr_log(WLR_DEBUG, "Read line %d: %s", line_number, line);
                if (reading_main_config) {
-                        size_t l = strlen(line);
+                        size_t length = strlen(line);
-                        memcpy(config_pos, line, l); // don't copy terminating character
-                        config_pos += l;
+                        if (read + length > config_size) {
-                        *config_pos++ = '\n';
+                                wlr_log(WLR_ERROR, "Config file changed during reading");
+                                list_foreach(stack, free);
+                                list_free(stack);
+                                free(line);
+                                return false;
+                        }
+                        strcpy(this_config + read, line);
+                        if (line_number != 1) {
+                                this_config[read - 1] = '\n';
+                        }
+                        read += length + 1;
                }
                line = strip_whitespace(line);
@@ -616,7 +628,6 @@ bool read_config(FILE *file, struct sway_config *config) {
                        list_foreach(stack, free);
                        list_free(stack);
                        free(line);
-                        free(this_config);
                        return false;
                }
                wlr_log(WLR_DEBUG, "Expanded line: %s", expanded);
@@ -677,10 +688,6 @@ bool read_config(FILE *file, struct sway_config *config) {
        list_foreach(stack, free);
        list_free(stack);
-        if (reading_main_config) {
-                this_config[config_size - 1] = '\0';
-                config->current_config = this_config;
-        }
        return success;
 }
author	Ian Fan <ianfan0@gmail.com>	2018-07-15 14:59:54 +0100
committer	Ian Fan <ianfan0@gmail.com>	2018-07-15 14:59:54 +0100
commit	e6209afcd6923d9803c3ea6bacf3f9322a7a7450 (patch)
tree	c64290c0938c5ffca827806b60c2e1fe8d4ae5be /sway/config.c
parent	Merge pull request #2275 from RyanDwyer/transactionise-focus (diff)
download	sway-e6209afcd6923d9803c3ea6bacf3f9322a7a7450.tar.gz sway-e6209afcd6923d9803c3ea6bacf3f9322a7a7450.tar.zst sway-e6209afcd6923d9803c3ea6bacf3f9322a7a7450.zip

diff --git a/sway/config.c b/sway/config.c index 636f5f57..b8c874e6 100644 --- a/sway/config.c +++ b/sway/config.c
@@ -560,8 +560,8 @@ static char expand_line(const char block, const char *line, bool add_brace) {
560		560
561	bool read_config(FILE file, struct sway_config config) {	561	bool read_config(FILE file, struct sway_config config) {
562	bool reading_main_config = false;	562	bool reading_main_config = false;
563	char this_config = NULL, config_pos;	563	char *this_config = NULL;
564	long config_size = 0;	564	unsigned long config_size = 0;
565	if (config->current_config == NULL) {	565	if (config->current_config == NULL) {
566	reading_main_config = true;	566	reading_main_config = true;
567		567
@@ -569,7 +569,7 @@ bool read_config(FILE file, struct sway_config config) {
569	config_size = ftell(file);	569	config_size = ftell(file);
570	rewind(file);	570	rewind(file);
571		571
572	config_pos = this_config = malloc(config_size + 1);	572	config->current_config = this_config = calloc(1, config_size + 1);
573	if (this_config == NULL) {	573	if (this_config == NULL) {
574	wlr_log(WLR_ERROR, "Unable to allocate buffer for config contents");	574	wlr_log(WLR_ERROR, "Unable to allocate buffer for config contents");
575	return false;	575	return false;
@@ -580,6 +580,7 @@ bool read_config(FILE file, struct sway_config config) {
580	int line_number = 0;	580	int line_number = 0;
581	char *line;	581	char *line;
582	list_t *stack = create_list();	582	list_t *stack = create_list();
		583	size_t read = 0;
583	while (!feof(file)) {	584	while (!feof(file)) {
584	char *block = stack->length ? stack->items[0] : NULL;	585	char *block = stack->length ? stack->items[0] : NULL;
585	line = read_line(file);	586	line = read_line(file);
@@ -590,10 +591,21 @@ bool read_config(FILE file, struct sway_config config) {
590	wlr_log(WLR_DEBUG, "Read line %d: %s", line_number, line);	591	wlr_log(WLR_DEBUG, "Read line %d: %s", line_number, line);
591		592
592	if (reading_main_config) {	593	if (reading_main_config) {
593	size_t l = strlen(line);	594	size_t length = strlen(line);
594	memcpy(config_pos, line, l); // don't copy terminating character	595
595	config_pos += l;	596	if (read + length > config_size) {
596	*config_pos++ = '\n';	597	wlr_log(WLR_ERROR, "Config file changed during reading");
		598	list_foreach(stack, free);
		599	list_free(stack);
		600	free(line);
		601	return false;
		602	}
		603
		604	strcpy(this_config + read, line);
		605	if (line_number != 1) {
		606	this_config[read - 1] = '\n';
		607	}
		608	read += length + 1;
597	}	609	}
598		610
599	line = strip_whitespace(line);	611	line = strip_whitespace(line);
@@ -616,7 +628,6 @@ bool read_config(FILE file, struct sway_config config) {
616	list_foreach(stack, free);	628	list_foreach(stack, free);
617	list_free(stack);	629	list_free(stack);
618	free(line);	630	free(line);
619	free(this_config);
620	return false;	631	return false;
621	}	632	}
622	wlr_log(WLR_DEBUG, "Expanded line: %s", expanded);	633	wlr_log(WLR_DEBUG, "Expanded line: %s", expanded);
@@ -677,10 +688,6 @@ bool read_config(FILE file, struct sway_config config) {
677	list_foreach(stack, free);	688	list_foreach(stack, free);
678	list_free(stack);	689	list_free(stack);
679		690
680	if (reading_main_config) {
681	this_config[config_size - 1] = '\0';
682	config->current_config = this_config;
683	}
684	return success;	691	return success;
685	}	692	}
686		693