From 20cf100cddc27a1e7202413261c93b78142899e8 Mon Sep 17 00:00:00 2001
From: Oliver Kiddle <okiddle@yahoo.co.uk>
Date: Sat, 24 Mar 2018 15:04:39 +0100
Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer
used for file completion candidates
Upstream-commit: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
Also picked a fix for buffer size off-by-one from upstream commit
a62e1640bcafbb82d86ea8d8ce057a83c4683d60 to fix the following defect
newly detected by Coverity Analysis:
Error: OVERRUN (CWE-119):
zsh-5.0.2/Src/Zle/compctl.c:2160: cond_at_most: Checking "pathpreflen > 4096" implies that "pathpreflen" may be up to 4096 on the false branch.
zsh-5.0.2/Src/Zle/compctl.c:2172: overrun-buffer-arg: Overrunning array "p" of 4096 bytes by passing it to a function which accesses it at byte offset 4096 using argument "pathpreflen + 1" (which evaluates to 4097). [Note: The source code implementation of the function has been overridden by a builtin model.]
---
Src/Zle/compctl.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c
index 5d67137..5e636ef 100644
--- a/Src/Zle/compctl.c
+++ b/Src/Zle/compctl.c
@@ -2136,7 +2136,7 @@ gen_matches_files(int dirs, int execs, int all)
{
DIR *d;
struct stat buf;
- char *n, p[PATH_MAX], *q = NULL, *e, *pathpref;
+ char *n, p[PATH_MAX+1], *q = NULL, *e, *pathpref;
LinkList l = NULL;
int ns = 0, ng = opts[NULLGLOB], test, aw = addwhat, pathpreflen;
@@ -2157,6 +2157,8 @@ gen_matches_files(int dirs, int execs, int all)
if (prpre && *prpre) {
pathpref = dupstring(prpre);
unmetafy(pathpref, &pathpreflen);
+ if (pathpreflen > PATH_MAX)
+ return;
/* system needs NULL termination, not provided by unmetafy */
pathpref[pathpreflen] = '\0';
} else {
@@ -2199,6 +2201,8 @@ gen_matches_files(int dirs, int execs, int all)
* the path buffer by appending the filename. */
ums = dupstring(n);
unmetafy(ums, ¨en);
+ if (umlen + pathpreflen + 1 > PATH_MAX)
+ continue;
memcpy(q, ums, umlen);
q[umlen] = '\0';
/* And do the stat. */
@@ -2213,6 +2217,8 @@ gen_matches_files(int dirs, int execs, int all)
/* We have to test for a path suffix. */
int o = strlen(p), tt;
+ if (o + strlen(psuf) > PATH_MAX)
+ continue;
/* Append it to the path buffer. */
strcpy(p + o, psuf);
--
2.14.3