about summary refs log tree commit diff
diff options
context:
space:
mode:
authorPeter Stephenson <p.w.stephenson@ntlworld.com>2023-05-13 21:49:07 +0100
committerPeter Stephenson <p.w.stephenson@ntlworld.com>2023-05-13 21:49:07 +0100
commita95198e268ec1d432c37afc8dc4f8839acc0c8d0 (patch)
tree6e2a7fe63abb80700a46955cb5425de7c9c8ba94
parentb4d1c756f50909b4a13e5c8fe5f26f71e9d54f63 (diff)
downloadzsh-a95198e268ec1d432c37afc8dc4f8839acc0c8d0.tar.gz
zsh-a95198e268ec1d432c37afc8dc4f8839acc0c8d0.tar.xz
zsh-a95198e268ec1d432c37afc8dc4f8839acc0c8d0.zip
51722: Safety for extracting elements of $historywords
Diffstat
-rw-r--r--ChangeLog5


-rw-r--r--Src/Modules/parameter.c11


2 files changed, 14 insertions, 2 deletions
diff --git a/ChangeLog b/ChangeLog
index 18bc4a698..85fc1de96 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2023-05-13  Peter Stephenson  <p.w.stephenson@ntlworld.com>
+
+	* 51722: Src/Modules/parameter.c: Add safety to extracting
+	elements of $historywords.
+
 2023-05-13  Oliver Kiddle  <opk@zsh.org>
 
 	* 51738: Doc/Zsh/mod_pcre.yo, Src/Modules/pcre.c,
diff --git a/Src/Modules/parameter.c b/Src/Modules/parameter.c
index 96a211c69..a05ea2fe4 100644
--- a/Src/Modules/parameter.c
+++ b/Src/Modules/parameter.c
@@ -1233,9 +1233,16 @@ histwgetfn(UNUSED(Param pm))
             pushnode(l, getdata(n));
 
     while (he) {
+	char *hstr = he->node.nam;
+	int len = strlen(hstr);
 	for (iw = he->nwords - 1; iw >= 0; iw--) {
-	    h = he->node.nam + he->words[iw * 2];
-	    e = he->node.nam + he->words[iw * 2 + 1];
+	    int wbegin = he->words[iw * 2];
+	    int wend = he->words[iw * 2 + 1];
+
+	    if (wbegin < 0 || wbegin >= len || wend < 0 || wend > len)
+		break;
+	    h = hstr + wbegin;
+	    e = hstr + wend;
 	    sav = *e;
 	    *e = '\0';
 	    addlinknode(l, dupstring(h));

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-04-25 19:45:21 +0000