Changeset 1252Tweet

Timestamp:

Oct 28, 2006, 11:00:58 AM (16 years ago)

Author:

Sam Hocevar

Message:

• Fixed buffer overflow in replace().

File:

• cacamoo/trunk/src/main.c (modified) (3 diffs)

cacamoo/trunk/src/main.c

@@ -324 +324 @@
     unsigned int s = 0;
     char *temp = NULL;
-    char *temp2 = NULL;
 
     /* Try direct name */
@@ -373 +372 @@
 
     /* AHAHAH, THAT'S A COOL PERL INTERPRETER ! */
-    temp2 = replace(temp, " = <<\"EOC\";", "");
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, " = <<EOC;"    , "");
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, " = <<EOC"     , "");
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, " = << EOC"    , "");
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "EOC"          , "");
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "$eyes"        , cacamoo_use_eyes);
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "${eyes}"      , cacamoo_use_eyes);
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "$tongue"      , cacamoo_use_tongue);
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "${tongue}"    , cacamoo_use_tongue);
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "$thoughts"    , cacamoo_thoughts);
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "${thoughts}"  , cacamoo_thoughts);
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "$the_cow"     , (const char*)string);
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
-    temp2 = replace(temp, "${the_cow}"   , (const char*)string);
-    if(temp!=temp2 && temp2 !=NULL)
-    {
-        free(temp);
-        temp = temp2;
-    }
+    temp = replace(temp, " = <<\"EOC\";", "");
+    temp = replace(temp, " = <<EOC;"    , "");
+    temp = replace(temp, " = <<EOC"     , "");
+    temp = replace(temp, " = << EOC"    , "");
+    temp = replace(temp, "EOC"          , "");
+    temp = replace(temp, "$eyes"        , cacamoo_use_eyes);
+    temp = replace(temp, "${eyes}"      , cacamoo_use_eyes);
+    temp = replace(temp, "$tongue"      , cacamoo_use_tongue);
+    temp = replace(temp, "${tongue}"    , cacamoo_use_tongue);
+    temp = replace(temp, "$thoughts"    , cacamoo_thoughts);
+    temp = replace(temp, "${thoughts}"  , cacamoo_thoughts);
+    temp = replace(temp, "$the_cow"     , (const char*)string);
+    temp = replace(temp, "${the_cow}"   , (const char*)string);
     *size = strlen(temp)+1;
-
 
     fclose(fp);
@@ -510 +443 @@
 }
 
-char *replace(char *str, char *oldpiece, const char *newpiece)
-{
-    int str_index, newstr_index, oldpiece_index, end,
-        new_len, old_len, cpy_len;
-    char *c = NULL;
-    char *newstr = NULL;
-    char *orig = str;
-
-    if(oldpiece==NULL || newpiece==NULL)
-        return NULL;
-
-    if ((c = (char *) strstr(str, oldpiece)) == NULL)
-        return str;
-
-
-    newstr = malloc(8192); // FIXME
-
-    if(newstr == NULL)
-    {
-        return str;
-    }
-
-    new_len        = strlen(newpiece);
-    old_len        = strlen(oldpiece);
-    end            = strlen(str)   - old_len;
-    oldpiece_index = c - str;
-
-    newstr_index = 0;
-    str_index = 0;
-    while(str_index <= end && c != NULL)
-    {
-        /* Copy characters from the left of matched pattern occurence */
-        cpy_len = oldpiece_index-str_index;
-        strncpy(newstr+newstr_index, str+str_index, cpy_len);
-        newstr_index += cpy_len;
-        str_index    += cpy_len;
-
-        /* Copy replacement characters instead of matched pattern */
-        strcpy(newstr+newstr_index, newpiece);
-        newstr_index += new_len;
-        str_index    += old_len;
-
-        /* Check for another pattern match */
-        if((c = (char *) strstr(str+str_index, oldpiece)) != NULL)
-            oldpiece_index = c - str;
-    }
-    /* Copy remaining characters from the right of last matched pattern */
-    strcpy(newstr+newstr_index, str+str_index);
-
-    str = orig;
-    return newstr;
+char *replace(char *s1, char *oldpiece, const char *newpiece)
+{
+    unsigned int oldlen = strlen(oldpiece), newlen = strlen(newpiece);
+    unsigned int i1 = 0, i2 = 0;
+    char *s2 = oldlen < newlen ? NULL : s1;
+
+    for(;;)
+    {
+        char *found = strstr(s1 + i1, oldpiece);
+        unsigned int tocopy;
+
+        if(!found)
+        {
+            tocopy = strlen(s1 + i1);
+            if(oldlen < newlen)
+                s2 = realloc(s2, i2 + tocopy + 1);
+            memmove(s2 + i2, s1 + i1, tocopy + 1);
+            if(oldlen < newlen)
+                free(s1);
+            return s2;
+        }
+
+        tocopy = found - (s1 + i1);
+        if(oldlen < newlen)
+            s2 = realloc(s2, i2 + tocopy + newlen);
+        memmove(s2 + i2, s1 + i1, tocopy);
+        memcpy(s2 + tocopy, newpiece, newlen);
+        i1 += tocopy + oldlen;
+        i2 += tocopy + newlen;
+    }
 }