Blame SOURCES/zsh-5.0.2-CVE-2018-1071.patch
|
 |
da6346 |
From c3fec0b136d938704d8b0ba82424eea8d17f86ab Mon Sep 17 00:00:00 2001
|
|
|
da6346 |
From: Oliver Kiddle <okiddle@yahoo.co.uk>
|
|
|
da6346 |
Date: Sat, 24 Mar 2018 15:02:41 +0100
|
|
|
da6346 |
Subject: [PATCH] 42518, CVE-2018-1071: check bounds when copying path in
|
|
|
da6346 |
hashcmd()
|
|
|
da6346 |
|
|
|
da6346 |
Upstream-commit: 679b71ec4d852037fe5f73d35bf557b0f406c8d4
|
|
|
da6346 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
da6346 |
---
|
|
|
da6346 |
Src/exec.c | 2 +-
|
|
|
da6346 |
Src/utils.c | 6 +++---
|
|
|
da6346 |
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
da6346 |
|
|
|
da6346 |
diff --git a/Src/exec.c b/Src/exec.c
|
|
|
da6346 |
index 6d47935..b9ffb35 100644
|
|
|
da6346 |
--- a/Src/exec.c
|
|
|
da6346 |
+++ b/Src/exec.c
|
|
|
da6346 |
@@ -860,7 +860,7 @@ hashcmd(char *arg0, char **pp)
|
|
|
da6346 |
for (; *pp; pp++)
|
|
|
da6346 |
if (**pp == '/') {
|
|
|
da6346 |
s = buf;
|
|
|
da6346 |
- strucpy(&s, *pp);
|
|
|
da6346 |
+ struncpy(&s, *pp, PATH_MAX);
|
|
|
da6346 |
*s++ = '/';
|
|
|
da6346 |
if ((s - buf) + strlen(arg0) >= PATH_MAX)
|
|
|
da6346 |
continue;
|
|
|
da6346 |
diff --git a/Src/utils.c b/Src/utils.c
|
|
|
da6346 |
index 391d020..c6eba63 100644
|
|
|
da6346 |
--- a/Src/utils.c
|
|
|
da6346 |
+++ b/Src/utils.c
|
|
|
da6346 |
@@ -2005,10 +2005,10 @@ struncpy(char **s, char *t, int n)
|
|
|
da6346 |
{
|
|
|
da6346 |
char *u = *s;
|
|
|
da6346 |
|
|
|
da6346 |
- while (n--)
|
|
|
da6346 |
- *u++ = *t++;
|
|
|
da6346 |
+ while (n-- && (*u++ = *t++));
|
|
|
da6346 |
*s = u;
|
|
|
da6346 |
- *u = '\0';
|
|
|
da6346 |
+ if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
|
|
|
da6346 |
+ *u = '\0';
|
|
|
da6346 |
}
|
|
|
da6346 |
|
|
|
da6346 |
/* Return the number of elements in an array of pointers. *
|
|
|
da6346 |
--
|
|
|
da6346 |
2.14.3
|
|
|
da6346 |
|