Fix buffer overflow in keys_action_allkeys()

Signed-off-by: Lukas Fleischer <lfleischer@calcurse.org>
author: Lukas Fleischer <lfleischer@calcurse.org> 2018-05-26 12:03:03 +0200
committer: Lukas Fleischer <lfleischer@calcurse.org> 2018-05-26 12:03:03 +0200
commit: 7efe03cf0552234852be6e4537c5fe0ce0c6841c (patch)
tree: 68306125071db5fb6db3a87d1ba9ec2faa02ed80 /src
parent: 2cd60c78cf8411a0d1592da458e2832e7b1b20db (diff)
download: calcurse-7efe03cf0552234852be6e4537c5fe0ce0c6841c.tar.gz
calcurse-7efe03cf0552234852be6e4537c5fe0ce0c6841c.zip
1 files changed, 9 insertions, 4 deletions
diff --git a/src/keys.c b/src/keys.c
index 8bafd66..578c973 100644
--- a/src/keys.c
+++ b/src/keys.c
@@ -452,18 +452,23 @@ char *keys_action_allkeys(enum key action)
 {
 	llist_item_t *i;
 	static char keystr[BUFSIZ];
-	const char *CHAR_SPACE = " ";
+	int keystrlen = 0;
+	int entrylen;
 
 	if (!LLIST_FIRST(&keys[action]))
 		return NULL;
 
 	keystr[0] = '\0';
 	LLIST_FOREACH(&keys[action], i) {
-		const int MAXLEN = sizeof(keystr) - 1 - strlen(keystr);
-		strncat(keystr, LLIST_GET_DATA(i), MAXLEN - 1);
-		strncat(keystr, CHAR_SPACE, 1);
+		entrylen = strlen(LLIST_GET_DATA(i)) + 1;
+		if (keystrlen + entrylen >= BUFSIZ)
+			break;
+		memcpy(keystr + keystrlen, LLIST_GET_DATA(i), entrylen - 1);
+		keystr[keystrlen + entrylen - 1] = ' ';
+		keystrlen += entrylen;
 	}
 
+	keystr[keystrlen] = '\0';
 	return keystr;
 }
author	Lukas Fleischer <lfleischer@calcurse.org>	2018-05-26 12:03:03 +0200
committer	Lukas Fleischer <lfleischer@calcurse.org>	2018-05-26 12:03:03 +0200
commit	7efe03cf0552234852be6e4537c5fe0ce0c6841c (patch)
tree	68306125071db5fb6db3a87d1ba9ec2faa02ed80 /src
parent	2cd60c78cf8411a0d1592da458e2832e7b1b20db (diff)
download	calcurse-7efe03cf0552234852be6e4537c5fe0ce0c6841c.tar.gz calcurse-7efe03cf0552234852be6e4537c5fe0ce0c6841c.zip