Fix out-of-bounds read when parsing --list argument

When running bemenu like:
    env BEMENU_OPTS="--list 3" bemenu

Valgrind will report an out-of-bounds read:
    Invalid read of size 1
       at 0x10BC91: do_getopt.part.0 (common.c:366)
       by 0x10C635: do_getopt (common.c:340)
       by 0x10C635: parse_args (common.c:556)
       by 0x10B535: main (bemenu.c:55)
     Address 0x4ac13e2 is 0 bytes after a block of size 2 alloc'd
       at 0x4849BF3: calloc (vg_replace_malloc.c:1675)
       by 0x10C533: cstrcopy (common.c:120)
       by 0x10C533: tokenize_quoted_to_argv (common.c:146)
       by 0x10C60C: parse_args (common.c:555)
       by 0x10B535: main (bemenu.c:55)

The problem is that the parsing code for `--list` will blindly compare
a character past the number of lines to parse for e.g. `--list '3 up'`
but the end of the string may come right after the number of lines.

In my system Valgrind does not find the error when running bemenu like
`bemenu --list 3` even though the logic is equally questionable.

Fix it by checking that there is more after the number of lines.
This commit is contained in:
Joan Bruguera Micó 2024-07-07 11:55:47 +00:00 committed by Jari Vetoniemi
parent 5bc8a6caaa
commit fa84d4b2d6

View File

@ -363,7 +363,7 @@ do_getopt(struct client *client, int *argc, char **argv[])
{ {
char *ptr; char *ptr;
client->lines = strtol(optarg, &ptr, 10); client->lines = strtol(optarg, &ptr, 10);
client->lines_mode = (!strcmp(ptr + 1, "up") ? BM_LINES_UP : BM_LINES_DOWN); client->lines_mode = (*ptr && !strcmp(ptr + 1, "up") ? BM_LINES_UP : BM_LINES_DOWN);
break; break;
} }
case 'c': case 'c':