Pārlūkot izejas kodu

* Fixed buffer overflow in replace().

git-svn-id: file:///srv/caca.zoy.org/var/lib/svn/cacamoo/trunk@1252 92316355-f0b4-4df1-b90c-862c8a59935f
master
sam pirms 18 gadiem
vecāks
revīzija
80b07e2fc9
1 mainītis faili ar 37 papildinājumiem un 125 dzēšanām
  1. +37
    -125
      src/main.c

+ 37
- 125
src/main.c Parādīt failu

@@ -323,7 +323,6 @@ char * make_caca_from_file(unsigned int *size)
char filepath[1024];
unsigned int s = 0;
char *temp = NULL;
char *temp2 = NULL;

/* Try direct name */
snprintf(filepath, 1023, "%s", cacamoo_file);
@@ -372,87 +371,21 @@ char * make_caca_from_file(unsigned int *size)


/* AHAHAH, THAT'S A COOL PERL INTERPRETER ! */
temp2 = replace(temp, " = <<\"EOC\";", "");
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, " = <<EOC;" , "");
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, " = <<EOC" , "");
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, " = << EOC" , "");
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "EOC" , "");
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "$eyes" , cacamoo_use_eyes);
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "${eyes}" , cacamoo_use_eyes);
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "$tongue" , cacamoo_use_tongue);
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "${tongue}" , cacamoo_use_tongue);
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "$thoughts" , cacamoo_thoughts);
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "${thoughts}" , cacamoo_thoughts);
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "$the_cow" , (const char*)string);
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp2 = replace(temp, "${the_cow}" , (const char*)string);
if(temp!=temp2 && temp2 !=NULL)
{
free(temp);
temp = temp2;
}
temp = replace(temp, " = <<\"EOC\";", "");
temp = replace(temp, " = <<EOC;" , "");
temp = replace(temp, " = <<EOC" , "");
temp = replace(temp, " = << EOC" , "");
temp = replace(temp, "EOC" , "");
temp = replace(temp, "$eyes" , cacamoo_use_eyes);
temp = replace(temp, "${eyes}" , cacamoo_use_eyes);
temp = replace(temp, "$tongue" , cacamoo_use_tongue);
temp = replace(temp, "${tongue}" , cacamoo_use_tongue);
temp = replace(temp, "$thoughts" , cacamoo_thoughts);
temp = replace(temp, "${thoughts}" , cacamoo_thoughts);
temp = replace(temp, "$the_cow" , (const char*)string);
temp = replace(temp, "${the_cow}" , (const char*)string);
*size = strlen(temp)+1;


fclose(fp);
return temp;
}
@@ -509,57 +442,36 @@ char *remove_comments(char *str)
return str;
}

char *replace(char *str, char *oldpiece, const char *newpiece)
char *replace(char *s1, char *oldpiece, const char *newpiece)
{
int str_index, newstr_index, oldpiece_index, end,
new_len, old_len, cpy_len;
char *c = NULL;
char *newstr = NULL;
char *orig = str;

if(oldpiece==NULL || newpiece==NULL)
return NULL;
unsigned int oldlen = strlen(oldpiece), newlen = strlen(newpiece);
unsigned int i1 = 0, i2 = 0;
char *s2 = oldlen < newlen ? NULL : s1;

if ((c = (char *) strstr(str, oldpiece)) == NULL)
return str;


newstr = malloc(8192); // FIXME

if(newstr == NULL)
for(;;)
{
return str;
}
char *found = strstr(s1 + i1, oldpiece);
unsigned int tocopy;

new_len = strlen(newpiece);
old_len = strlen(oldpiece);
end = strlen(str) - old_len;
oldpiece_index = c - str;
if(!found)
{
tocopy = strlen(s1 + i1);
if(oldlen < newlen)
s2 = realloc(s2, i2 + tocopy + 1);
memmove(s2 + i2, s1 + i1, tocopy + 1);
if(oldlen < newlen)
free(s1);
return s2;
}

newstr_index = 0;
str_index = 0;
while(str_index <= end && c != NULL)
{
/* Copy characters from the left of matched pattern occurence */
cpy_len = oldpiece_index-str_index;
strncpy(newstr+newstr_index, str+str_index, cpy_len);
newstr_index += cpy_len;
str_index += cpy_len;

/* Copy replacement characters instead of matched pattern */
strcpy(newstr+newstr_index, newpiece);
newstr_index += new_len;
str_index += old_len;

/* Check for another pattern match */
if((c = (char *) strstr(str+str_index, oldpiece)) != NULL)
oldpiece_index = c - str;
tocopy = found - (s1 + i1);
if(oldlen < newlen)
s2 = realloc(s2, i2 + tocopy + newlen);
memmove(s2 + i2, s1 + i1, tocopy);
memcpy(s2 + tocopy, newpiece, newlen);
i1 += tocopy + oldlen;
i2 += tocopy + newlen;
}
/* Copy remaining characters from the right of last matched pattern */
strcpy(newstr+newstr_index, str+str_index);

str = orig;
return newstr;
}




Notiek ielāde…
Atcelt
Saglabāt