vis(3): avoid out-of-bounds stack buffer reads

I found this while running kdump(1) on a CheriBSD system due to a capability length violation when printing the /etc/libmap.conf read() system call: it crashed immediately after printing the first line. Found by: CHERI Reviewed By: jhb MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D30771 (cherry picked from commit 1a2f06d0f2)
2024-11-30 10:52:50 +00:00 · 2021-06-16 16:27:13 +01:00 · 2021-06-16 16:27:13 +01:00 · c89f104c12
commit c89f104c12
parent f42db652c3
1 changed files with 2 additions and 1 deletions
--- a/contrib/libc-vis/vis.c
+++ b/contrib/libc-vis/vis.c
@ -465,7 +465,8 @@ istrsenvisx(char **mbdstp, size_t *dlen, const char *mbsrc, size_t mblength,
 	while (mbslength > 0) {
 		/* Convert one multibyte character to wchar_t. */
 		if (!cerr)
-			clen = mbrtowc(src, mbsrc, MB_LEN_MAX, &mbstate);
+			clen = mbrtowc(src, mbsrc, MIN(mbslength, MB_LEN_MAX),
+			    &mbstate);
 		if (cerr || clen < 0) {
 			/* Conversion error, process as a byte instead. */
 			*src = (wint_t)(u_char)*mbsrc;