From d54381f00991669fa4ee4f3a8037f246ca1904f8 Mon Sep 17 00:00:00 2001
From: Jari Vetoniemi <mailroxas@gmail.com>
Date: Sat, 12 Apr 2014 20:16:33 +0300
Subject: Fix out of bound access, and provide better tokenize api.

---
 lib/filter.c   | 6 +++---
 lib/internal.h | 2 +-
 lib/util.c     | 7 ++++++-
 3 files changed, 10 insertions(+), 5 deletions(-)

(limited to 'lib')

diff --git a/lib/filter.c b/lib/filter.c
index 811451b..204eac1 100644
--- a/lib/filter.c
+++ b/lib/filter.c
@@ -54,15 +54,15 @@ static char* _bmFilterTokenize(bmMenu *menu, char ***outTokv, unsigned int *outT
     if (!(buffer = _bmStrdup(menu->filter)))
         goto fail;
 
-    size_t pos = 0;
+    size_t pos = 0, next;
     unsigned int tokc = 0, tokn = 0;
     char *s = buffer, **tmp = NULL;
-    while ((pos = _bmStripToken(s, " ")) != 0) {
+    while ((pos = _bmStripToken(s, " ", &next)) > 0) {
         if (++tokc > tokn && !(tmp = realloc(tmp, ++tokn * sizeof(char*))))
             goto fail;
 
         tmp[tokc - 1] = s;
-        s += pos + 1;
+        s += next;
     }
 
     *outTokv = tmp;
diff --git a/lib/internal.h b/lib/internal.h
index 1ed13b4..6d116a0 100644
--- a/lib/internal.h
+++ b/lib/internal.h
@@ -163,7 +163,7 @@ int _bmItemListRemoveItem(struct _bmItemList *list, const bmItem *item);
 
 /* util.c */
 char* _bmStrdup(const char *s);
-size_t _bmStripToken(char *string, const char *token);
+size_t _bmStripToken(char *string, const char *token, size_t *outNext);
 int _bmStrupcmp(const char *hay, const char *needle);
 int _bmStrnupcmp(const char *hay, const char *needle, size_t len);
 char* _bmStrupstr(const char *hay, const char *needle);
diff --git a/lib/util.c b/lib/util.c
index c4533ca..bcb27cb 100644
--- a/lib/util.c
+++ b/lib/util.c
@@ -34,11 +34,16 @@ char* _bmStrdup(const char *string)
  * Replaces next token in string with '\0' and returns position for the replaced token.
  *
  * @param string C "string" where token will be replaced.
+ * @param outNext Reference to position of next delimiter, or 0 if none.
  * @return Position of the replaced token.
  */
-size_t _bmStripToken(char *string, const char *token)
+size_t _bmStripToken(char *string, const char *token, size_t *outNext)
 {
     size_t len = strcspn(string, token);
+
+    if (outNext)
+        *outNext = len + (string[len] != 0);
+
     string[len] = 0;
     return len;
 }
-- 
cgit v1.2.3-70-g09d2