From 20cf100cddc27a1e7202413261c93b78142899e8 Mon Sep 17 00:00:00 2001 From: Oliver Kiddle Date: Sat, 24 Mar 2018 15:04:39 +0100 Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer used for file completion candidates Upstream-commit: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 Signed-off-by: Kamil Dudka Also picked a fix for buffer size off-by-one from upstream commit a62e1640bcafbb82d86ea8d8ce057a83c4683d60 to fix the following defect newly detected by Coverity Analysis: Error: OVERRUN (CWE-119): zsh-5.0.2/Src/Zle/compctl.c:2160: cond_at_most: Checking "pathpreflen > 4096" implies that "pathpreflen" may be up to 4096 on the false branch. zsh-5.0.2/Src/Zle/compctl.c:2172: overrun-buffer-arg: Overrunning array "p" of 4096 bytes by passing it to a function which accesses it at byte offset 4096 using argument "pathpreflen + 1" (which evaluates to 4097). [Note: The source code implementation of the function has been overridden by a builtin model.] --- Src/Zle/compctl.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c index 5d67137..5e636ef 100644 --- a/Src/Zle/compctl.c +++ b/Src/Zle/compctl.c @@ -2136,7 +2136,7 @@ gen_matches_files(int dirs, int execs, int all) { DIR *d; struct stat buf; - char *n, p[PATH_MAX], *q = NULL, *e, *pathpref; + char *n, p[PATH_MAX+1], *q = NULL, *e, *pathpref; LinkList l = NULL; int ns = 0, ng = opts[NULLGLOB], test, aw = addwhat, pathpreflen; @@ -2157,6 +2157,8 @@ gen_matches_files(int dirs, int execs, int all) if (prpre && *prpre) { pathpref = dupstring(prpre); unmetafy(pathpref, &pathpreflen); + if (pathpreflen > PATH_MAX) + return; /* system needs NULL termination, not provided by unmetafy */ pathpref[pathpreflen] = '\0'; } else { @@ -2199,6 +2201,8 @@ gen_matches_files(int dirs, int execs, int all) * the path buffer by appending the filename. */ ums = dupstring(n); unmetafy(ums, ¨en); + if (umlen + pathpreflen + 1 > PATH_MAX) + continue; memcpy(q, ums, umlen); q[umlen] = '\0'; /* And do the stat. */ @@ -2213,6 +2217,8 @@ gen_matches_files(int dirs, int execs, int all) /* We have to test for a path suffix. */ int o = strlen(p), tt; + if (o + strlen(psuf) > PATH_MAX) + continue; /* Append it to the path buffer. */ strcpy(p + o, psuf); -- 2.14.3