diff options
author | Oliver Kiddle <okiddle@yahoo.co.uk> | 2018-03-24 15:04:39 +0100 |
---|---|---|
committer | Oliver Kiddle <okiddle@yahoo.co.uk> | 2018-03-24 15:04:39 +0100 |
commit | 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 (patch) | |
tree | 467a11ce5cf8e5e970565f2d7bb93bfe5f8775d0 /Src/Zle | |
parent | 679b71ec4d852037fe5f73d35bf557b0f406c8d4 (diff) | |
download | zsh-259ac472eac291c8c103c7a0d8a4eaf3c2942ed7.tar.gz zsh-259ac472eac291c8c103c7a0d8a4eaf3c2942ed7.tar.xz zsh-259ac472eac291c8c103c7a0d8a4eaf3c2942ed7.zip |
42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer used for file completion candidates
Diffstat (limited to 'Src/Zle')
-rw-r--r-- | Src/Zle/compctl.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c index e9d165780..87d13afc1 100644 --- a/Src/Zle/compctl.c +++ b/Src/Zle/compctl.c @@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all) if (prpre && *prpre) { pathpref = dupstring(prpre); unmetafy(pathpref, &pathpreflen); + if (pathpreflen > PATH_MAX) + return; /* system needs NULL termination, not provided by unmetafy */ pathpref[pathpreflen] = '\0'; } else { @@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all) * the path buffer by appending the filename. */ ums = dupstring(n); unmetafy(ums, ¨en); + if (umlen + pathpreflen + 1 > PATH_MAX) + continue; memcpy(q, ums, umlen); q[umlen] = '\0'; /* And do the stat. */ @@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all) /* We have to test for a path suffix. */ int o = strlen(p), tt; + if (o + strlen(psuf) > PATH_MAX) + continue; /* Append it to the path buffer. */ strcpy(p + o, psuf); |