42607, CVE-2018-1100: check bounds on buffer in mail checking

author: Oliver Kiddle <okiddle@yahoo.co.uk> 2018-04-07 18:28:38 +0200
committer: Oliver Kiddle <okiddle@yahoo.co.uk> 2018-04-07 18:28:38 +0200
commit: 31f72205630687c1cef89347863aab355296a27f (patch)
tree: 7884e266a5f6f65a24d85f91b669d4055364cbb6 /Src
parent: 4044d73706a4779d145bc27512a434865b081f28 (diff)
download: zsh-31f72205630687c1cef89347863aab355296a27f.tar.gz
zsh-31f72205630687c1cef89347863aab355296a27f.tar.xz
zsh-31f72205630687c1cef89347863aab355296a27f.zip
1 files changed, 5 insertions, 3 deletions
diff --git a/Src/utils.c b/Src/utils.c
index c544b81bf..180693d67 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1653,7 +1653,7 @@ checkmailpath(char **s)
 	    LinkList l;
 	    DIR *lock = opendir(unmeta(*s));
 	    char buf[PATH_MAX * 2 + 1], **arr, **ap;
-	    int ct = 1;
+	    int buflen, ct = 1;
 
 	    if (lock) {
 		char *fn;
@@ -1662,9 +1662,11 @@ checkmailpath(char **s)
 		l = newlinklist();
 		while ((fn = zreaddir(lock, 1)) && !errflag) {
 		    if (u)
-			sprintf(buf, "%s/%s?%s", *s, fn, u);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
 		    else
-			sprintf(buf, "%s/%s", *s, fn);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+		    if (buflen < 0 || buflen >= (int)sizeof(buf))
+			continue;
 		    addlinknode(l, dupstring(buf));
 		    ct++;
 		}
author	Oliver Kiddle <okiddle@yahoo.co.uk>	2018-04-07 18:28:38 +0200
committer	Oliver Kiddle <okiddle@yahoo.co.uk>	2018-04-07 18:28:38 +0200
commit	31f72205630687c1cef89347863aab355296a27f (patch)
tree	7884e266a5f6f65a24d85f91b669d4055364cbb6 /Src
parent	4044d73706a4779d145bc27512a434865b081f28 (diff)
download	zsh-31f72205630687c1cef89347863aab355296a27f.tar.gz zsh-31f72205630687c1cef89347863aab355296a27f.tar.xz zsh-31f72205630687c1cef89347863aab355296a27f.zip