[PATCH #54] Fixed bug with processing of user input when the user input

size equals or exceeds the allowed amount. A 1-byte buffer overrun resulted in incorrect processing of the buffer returned from the window supplying user input which lead to an infinite loop.
2019-05-29 22:38:02 +02:00 · 2019-05-29 22:38:02 +02:00 · 8a6c9a29e5
parent c76bdee606
commit 8a6c9a29e5
1 changed files with 16 additions and 4 deletions
--- a/src/winmain.c
+++ b/src/winmain.c
@ -432,8 +432,13 @@ w_getch(void)
        // Cursor = warten
        SetCursor(LoadCursor(NULL, IDC_WAIT));
    }
-    // Zeichen abholen
-    memmove(&SBuffer[0], &SBuffer[1], SBufSize);
+
+    /* Shift out the character being returned. After the entire
+     * contents of the buffer is read, it first byte is '\0' from
+     * the null termination of the buffer.
+     *
+     * Inefficient way to process the string, but it should work */
+    (void) memmove(SBuffer, SBuffer + 1, sizeof SBuffer - 1);
    return c;
 }

@ -550,9 +555,16 @@ StringWindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
    case WM_CHAR:
        c = (char) wParam;
        if (c == CR) {
-            GetWindowText(hwnd, SBuffer, SBufSize);
+            /* Get text from the window. Must leave space for crlf
+             * that is appended. -1 accounts for NULL as follows:
+             * The last argument to GetWindowText is the size of the
+             * buffer for writing the string + NULL. The NULL will be
+             * overwritten by the strcpy below, so it should not be
+             * counted in the size needed for the CRLF string. */
+            const int n_char_returned = GetWindowText(
+                    hwnd, SBuffer, sizeof SBuffer - (sizeof CRLF - 1));
            HistoryEnter(SBuffer);
-            strcat(SBuffer, CRLF);
+            strcpy(SBuffer + n_char_returned, CRLF);
            ClearInput();
            return 0;
        }