diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | Src/exec.c | 2 | ||||
-rw-r--r-- | Src/utils.c | 6 |
3 files changed, 9 insertions, 4 deletions
diff --git a/ChangeLog b/ChangeLog index 02d60612b..084d971c2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2018-03-24 Oliver Kiddle <okiddle@yahoo.co.uk> + + * 42518, CVE-2018-1071: Src/exec.c, Src/utils.c: + check bounds when copying path in hashcmd() + 2018-03-24 Jun-ichi Takimoto <takimoto-j@kba.biglobe.ne.jp> * 42501: Src/Zle/complete.c, Src/Zle/computil.c, diff --git a/Src/exec.c b/Src/exec.c index 35b0bb191..e154d1249 100644 --- a/Src/exec.c +++ b/Src/exec.c @@ -934,7 +934,7 @@ hashcmd(char *arg0, char **pp) for (; *pp; pp++) if (**pp == '/') { s = buf; - strucpy(&s, *pp); + struncpy(&s, *pp, PATH_MAX); *s++ = '/'; if ((s - buf) + strlen(arg0) >= PATH_MAX) continue; diff --git a/Src/utils.c b/Src/utils.c index 3b589aa35..998b16220 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -2283,10 +2283,10 @@ struncpy(char **s, char *t, int n) { char *u = *s; - while (n--) - *u++ = *t++; + while (n-- && (*u++ = *t++)); *s = u; - *u = '\0'; + if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ + *u = '\0'; } /* Return the number of elements in an array of pointers. * |