|
 |
f686d7 |
From 20cf100cddc27a1e7202413261c93b78142899e8 Mon Sep 17 00:00:00 2001
|
|
|
f686d7 |
From: Oliver Kiddle <okiddle@yahoo.co.uk>
|
|
|
f686d7 |
Date: Sat, 24 Mar 2018 15:04:39 +0100
|
|
|
f686d7 |
Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer
|
|
|
f686d7 |
used for file completion candidates
|
|
|
f686d7 |
|
|
|
f686d7 |
Upstream-commit: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7
|
|
|
f686d7 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
f686d7 |
|
|
|
f686d7 |
Also picked a fix for buffer size off-by-one from upstream commit
|
|
|
f686d7 |
a62e1640bcafbb82d86ea8d8ce057a83c4683d60 to fix the following defect
|
|
|
f686d7 |
newly detected by Coverity Analysis:
|
|
|
f686d7 |
|
|
|
f686d7 |
Error: OVERRUN (CWE-119):
|
|
|
f686d7 |
zsh-5.0.2/Src/Zle/compctl.c:2160: cond_at_most: Checking "pathpreflen > 4096" implies that "pathpreflen" may be up to 4096 on the false branch.
|
|
|
f686d7 |
zsh-5.0.2/Src/Zle/compctl.c:2172: overrun-buffer-arg: Overrunning array "p" of 4096 bytes by passing it to a function which accesses it at byte offset 4096 using argument "pathpreflen + 1" (which evaluates to 4097). [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
|
f686d7 |
---
|
|
|
f686d7 |
Src/Zle/compctl.c | 8 +++++++-
|
|
|
f686d7 |
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
f686d7 |
|
|
|
f686d7 |
diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c
|
|
|
f686d7 |
index 5d67137..5e636ef 100644
|
|
|
f686d7 |
--- a/Src/Zle/compctl.c
|
|
|
f686d7 |
+++ b/Src/Zle/compctl.c
|
|
|
f686d7 |
@@ -2136,7 +2136,7 @@ gen_matches_files(int dirs, int execs, int all)
|
|
|
f686d7 |
{
|
|
|
f686d7 |
DIR *d;
|
|
|
f686d7 |
struct stat buf;
|
|
|
f686d7 |
- char *n, p[PATH_MAX], *q = NULL, *e, *pathpref;
|
|
|
f686d7 |
+ char *n, p[PATH_MAX+1], *q = NULL, *e, *pathpref;
|
|
|
f686d7 |
LinkList l = NULL;
|
|
|
f686d7 |
int ns = 0, ng = opts[NULLGLOB], test, aw = addwhat, pathpreflen;
|
|
|
f686d7 |
|
|
|
f686d7 |
@@ -2157,6 +2157,8 @@ gen_matches_files(int dirs, int execs, int all)
|
|
|
f686d7 |
if (prpre && *prpre) {
|
|
|
f686d7 |
pathpref = dupstring(prpre);
|
|
|
f686d7 |
unmetafy(pathpref, &pathpreflen);
|
|
|
f686d7 |
+ if (pathpreflen > PATH_MAX)
|
|
|
f686d7 |
+ return;
|
|
|
f686d7 |
/* system needs NULL termination, not provided by unmetafy */
|
|
|
f686d7 |
pathpref[pathpreflen] = '\0';
|
|
|
f686d7 |
} else {
|
|
|
f686d7 |
@@ -2199,6 +2201,8 @@ gen_matches_files(int dirs, int execs, int all)
|
|
|
f686d7 |
* the path buffer by appending the filename. */
|
|
|
f686d7 |
ums = dupstring(n);
|
|
|
f686d7 |
unmetafy(ums, ¨en);
|
|
|
f686d7 |
+ if (umlen + pathpreflen + 1 > PATH_MAX)
|
|
|
f686d7 |
+ continue;
|
|
|
f686d7 |
memcpy(q, ums, umlen);
|
|
|
f686d7 |
q[umlen] = '\0';
|
|
|
f686d7 |
/* And do the stat. */
|
|
|
f686d7 |
@@ -2213,6 +2217,8 @@ gen_matches_files(int dirs, int execs, int all)
|
|
|
f686d7 |
/* We have to test for a path suffix. */
|
|
|
f686d7 |
int o = strlen(p), tt;
|
|
|
f686d7 |
|
|
|
f686d7 |
+ if (o + strlen(psuf) > PATH_MAX)
|
|
|
f686d7 |
+ continue;
|
|
|
f686d7 |
/* Append it to the path buffer. */
|
|
|
f686d7 |
strcpy(p + o, psuf);
|
|
|
f686d7 |
|
|
|
f686d7 |
--
|
|
|
f686d7 |
2.14.3
|
|
|
f686d7 |
|