From fa84d4b2d6f46fcd8085260e138a1f448b97aca2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20Bruguera=20Mic=C3=B3?= Date: Sun, 7 Jul 2024 11:55:47 +0000 Subject: [PATCH] Fix out-of-bounds read when parsing --list argument When running bemenu like: env BEMENU_OPTS="--list 3" bemenu Valgrind will report an out-of-bounds read: Invalid read of size 1 at 0x10BC91: do_getopt.part.0 (common.c:366) by 0x10C635: do_getopt (common.c:340) by 0x10C635: parse_args (common.c:556) by 0x10B535: main (bemenu.c:55) Address 0x4ac13e2 is 0 bytes after a block of size 2 alloc'd at 0x4849BF3: calloc (vg_replace_malloc.c:1675) by 0x10C533: cstrcopy (common.c:120) by 0x10C533: tokenize_quoted_to_argv (common.c:146) by 0x10C60C: parse_args (common.c:555) by 0x10B535: main (bemenu.c:55) The problem is that the parsing code for `--list` will blindly compare a character past the number of lines to parse for e.g. `--list '3 up'` but the end of the string may come right after the number of lines. In my system Valgrind does not find the error when running bemenu like `bemenu --list 3` even though the logic is equally questionable. Fix it by checking that there is more after the number of lines. --- client/common/common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/common/common.c b/client/common/common.c index e539d79..198cd05 100644 --- a/client/common/common.c +++ b/client/common/common.c @@ -363,7 +363,7 @@ do_getopt(struct client *client, int *argc, char **argv[]) { char *ptr; client->lines = strtol(optarg, &ptr, 10); - client->lines_mode = (!strcmp(ptr + 1, "up") ? BM_LINES_UP : BM_LINES_DOWN); + client->lines_mode = (*ptr && !strcmp(ptr + 1, "up") ? BM_LINES_UP : BM_LINES_DOWN); break; } case 'c':