hexdump: check blocksize when display data

hexdump(1) stores input to buffer and apply format unit when prints
the output. The unit can move pointer which points to the buffer, but
code does not check for limits.

Fixes: https://github.com/util-linux/util-linux/issues/2806
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/text-utils/hexdump-display.c b/text-utils/hexdump-display.c
index bc92bd0ca027481089dbdb673b95ca10204497e4..c865127c870e5a564c7c716b0262868cdb20dad0 100644 (file)
--- a/text-utils/hexdump-display.c
+++ b/text-utils/hexdump-display.c
@@ -250,6 +250,8 @@ void display(struct hexdump *hex)
        struct list_head *p, *q, *r;
 
        while ((bp = get(hex)) != NULL) {
+               ssize_t rem = hex->blocksize;
+
                fs = &hex->fshead; savebp = bp; saveaddress = address;
 
                list_for_each(p, fs) {
@@ -263,7 +265,7 @@ void display(struct hexdump *hex)
 
                                cnt = fu->reps;
 
-                               while (cnt) {
+                               while (cnt && rem >= 0) {
                                        list_for_each(r, &fu->prlist) {
                                                pr = list_entry(r, struct hexdump_pr, prlist);
 
@@ -280,12 +282,18 @@ void display(struct hexdump *hex)
                                                        print(pr, bp);
 
                                                address += pr->bcnt;
+
+                                               rem -= pr->bcnt;
+                                               if (rem < 0)
+                                                       break;
+
                                                bp += pr->bcnt;
                                        }
                                        --cnt;
                                }
                        }
                        bp = savebp;
+                       rem = hex->blocksize;
                        address = saveaddress;
                }
        }