diff options
author | Oliver Kiddle <okiddle@yahoo.co.uk> | 2018-04-07 18:28:38 +0200 |
---|---|---|
committer | Oliver Kiddle <okiddle@yahoo.co.uk> | 2018-04-07 18:28:38 +0200 |
commit | 31f72205630687c1cef89347863aab355296a27f (patch) | |
tree | 7884e266a5f6f65a24d85f91b669d4055364cbb6 | |
parent | 4044d73706a4779d145bc27512a434865b081f28 (diff) | |
download | zsh-31f72205630687c1cef89347863aab355296a27f.tar.gz zsh-31f72205630687c1cef89347863aab355296a27f.tar.xz zsh-31f72205630687c1cef89347863aab355296a27f.zip |
42607, CVE-2018-1100: check bounds on buffer in mail checking
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | Src/utils.c | 8 |
2 files changed, 8 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog index 60ec155d7..2cc699b67 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 2018-04-07 Oliver Kiddle <okiddle@yahoo.co.uk> + * 42607, CVE-2018-1100: Src/utils.c: check bounds on buffer + in mail checking + * 42600: Src/Zle/computil.c: error paths for _values leaked the exclusion list array diff --git a/Src/utils.c b/Src/utils.c index c544b81bf..180693d67 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -1653,7 +1653,7 @@ checkmailpath(char **s) LinkList l; DIR *lock = opendir(unmeta(*s)); char buf[PATH_MAX * 2 + 1], **arr, **ap; - int ct = 1; + int buflen, ct = 1; if (lock) { char *fn; @@ -1662,9 +1662,11 @@ checkmailpath(char **s) l = newlinklist(); while ((fn = zreaddir(lock, 1)) && !errflag) { if (u) - sprintf(buf, "%s/%s?%s", *s, fn, u); + buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u); else - sprintf(buf, "%s/%s", *s, fn); + buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn); + if (buflen < 0 || buflen >= (int)sizeof(buf)) + continue; addlinknode(l, dupstring(buf)); ct++; } |