From a95198e268ec1d432c37afc8dc4f8839acc0c8d0 Mon Sep 17 00:00:00 2001
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
Date: Sat, 13 May 2023 21:49:07 +0100
Subject: 51722: Safety for extracting elements of $historywords

---
 ChangeLog               |  5 +++++
 Src/Modules/parameter.c | 11 +++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 18bc4a698..85fc1de96 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2023-05-13  Peter Stephenson  <p.w.stephenson@ntlworld.com>
+
+	* 51722: Src/Modules/parameter.c: Add safety to extracting
+	elements of $historywords.
+
 2023-05-13  Oliver Kiddle  <opk@zsh.org>
 
 	* 51738: Doc/Zsh/mod_pcre.yo, Src/Modules/pcre.c,
diff --git a/Src/Modules/parameter.c b/Src/Modules/parameter.c
index 96a211c69..a05ea2fe4 100644
--- a/Src/Modules/parameter.c
+++ b/Src/Modules/parameter.c
@@ -1233,9 +1233,16 @@ histwgetfn(UNUSED(Param pm))
             pushnode(l, getdata(n));
 
     while (he) {
+	char *hstr = he->node.nam;
+	int len = strlen(hstr);
 	for (iw = he->nwords - 1; iw >= 0; iw--) {
-	    h = he->node.nam + he->words[iw * 2];
-	    e = he->node.nam + he->words[iw * 2 + 1];
+	    int wbegin = he->words[iw * 2];
+	    int wend = he->words[iw * 2 + 1];
+
+	    if (wbegin < 0 || wbegin >= len || wend < 0 || wend > len)
+		break;
+	    h = hstr + wbegin;
+	    e = hstr + wend;
 	    sav = *e;
 	    *e = '\0';
 	    addlinknode(l, dupstring(h));
-- 
cgit 1.4.1