From e51be32e198f42828b1082f9a40ff525ba892dcb Mon Sep 17 00:00:00 2001
From: "Barton E. Schaefer" <schaefer@zsh.org>
Date: Sun, 17 Aug 2014 10:32:02 -0700
Subject: [PATCH 1/2] Increase size of xbuf2 in xsymlinks to make gcc
FORTIFY_SOURCE=2 happy.
Upstream-commit: 4ba08eef7e15f7fd0c96353d931b764e25fd251d
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
Src/utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Src/utils.c b/Src/utils.c
index a197ef8..13e744e 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -723,7 +723,7 @@ static int
xsymlinks(char *s)
{
char **pp, **opp;
- char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];
+ char xbuf2[PATH_MAX*3], xbuf3[PATH_MAX*2];
int t0, ret = 0;
zulong xbuflen = strlen(xbuf);
--
2.14.3
From 5059305b758f1fd228837da436b48a1dcadfd7a3 Mon Sep 17 00:00:00 2001
From: Peter Stephenson <pws@zsh.org>
Date: Tue, 9 May 2017 17:49:18 +0100
Subject: [PATCH 2/2] 40181: Fix buffer overrun in xsymlinks.
There was no check for copying to the internal xbuf2 for a
preliminary test.
Upstream-commit: c7a9cf465dd620ef48d586026944d9bd7a0d5d6d
The upstream test-case has not been backported because this version
of zsh does not support the :P modifier.
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
Also picked a fix for buffer size off-by-one from upstream commit
a62e1640bcafbb82d86ea8d8ce057a83c4683d60 to fix the following defect
newly detected by Coverity Analysis:
Error: OVERRUN (CWE-119):
zsh-5.0.2/Src/utils.c:732: cond_at_most: Checking "xbuflen < 8192UL" implies that "xbuflen" may be up to 8191 on the true branch.
zsh-5.0.2/Src/utils.c:757: overrun-local: Overrunning array of 8192 bytes at byte offset 8192 by dereferencing pointer "xbuf2 + xbuflen + 1". [Note: The source code implementation of the function has been overridden by a builtin model.]
---
Src/utils.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/Src/utils.c b/Src/utils.c
index a197ef8..391d020 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -684,7 +684,7 @@ ispwd(char *s)
return 0;
}
-static char xbuf[PATH_MAX*2];
+static char xbuf[PATH_MAX*2+1];
/**/
static char **
@@ -723,9 +723,9 @@ static int
xsymlinks(char *s)
{
char **pp, **opp;
- char xbuf2[PATH_MAX*3], xbuf3[PATH_MAX*2];
+ char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1];
int t0, ret = 0;
- zulong xbuflen = strlen(xbuf);
+ zulong xbuflen = strlen(xbuf), pplen;
opp = pp = slashsplit(s);
for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {
@@ -744,10 +744,18 @@ xsymlinks(char *s)
*p = '\0';
continue;
}
- sprintf(xbuf2, "%s/%s", xbuf, *pp);
+ /* Includes null byte. */
+ pplen = strlen(*pp) + 1;
+ if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
+ *xbuf = 0;
+ ret = -1;
+ break;
+ }
+ memcpy(xbuf2, xbuf, xbuflen);
+ xbuf2[xbuflen] = '/';
+ memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
if (t0 == -1) {
- zulong pplen = strlen(*pp) + 1;
if ((xbuflen += pplen) < sizeof(xbuf)) {
strcat(xbuf, "/");
strcat(xbuf, *pp);
--
2.14.3