42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer used for file completion candidates

2 files changed, 9 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 084d971c2..5c1806cf7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2018-03-24  Oliver Kiddle  <okiddle@yahoo.co.uk>
 
+	* 42519, CVE-2018-1083: Src/Zle/compctl.c: check bounds on
+	PATH_MAX-sized buffer used for file completion candidates
+
 	* 42518, CVE-2018-1071: Src/exec.c, Src/utils.c:
 	check bounds when copying path in hashcmd()
 
diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c
index e9d165780..87d13afc1 100644
--- a/Src/Zle/compctl.c
+++ b/Src/Zle/compctl.c
@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all)
     if (prpre && *prpre) {
 	pathpref = dupstring(prpre);
 	unmetafy(pathpref, &pathpreflen);
+	if (pathpreflen > PATH_MAX)
+	    return;
 	/* system needs NULL termination, not provided by unmetafy */
 	pathpref[pathpreflen] = '\0';
     } else {
@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all)
 		     * the path buffer by appending the filename.       */
 		    ums = dupstring(n);
 		    unmetafy(ums, &umlen);
+		    if (umlen + pathpreflen + 1 > PATH_MAX)
+			continue;
 		    memcpy(q, ums, umlen);
 		    q[umlen] = '\0';
 		    /* And do the stat. */
@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all)
 			/* We have to test for a path suffix. */
 			int o = strlen(p), tt;
 
+			if (o + strlen(psuf) > PATH_MAX)
+			    continue;
 			/* Append it to the path buffer. */
 			strcpy(p + o, psuf);