From c3fec0b136d938704d8b0ba82424eea8d17f86ab Mon Sep 17 00:00:00 2001 From: Oliver Kiddle Date: Sat, 24 Mar 2018 15:02:41 +0100 Subject: [PATCH 1/2] 42518, CVE-2018-1071: check bounds when copying path in hashcmd() Upstream-commit: 679b71ec4d852037fe5f73d35bf557b0f406c8d4 Signed-off-by: Kamil Dudka --- Src/exec.c | 2 +- Src/utils.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Src/exec.c b/Src/exec.c index 6d47935..b9ffb35 100644 --- a/Src/exec.c +++ b/Src/exec.c @@ -860,7 +860,7 @@ hashcmd(char *arg0, char **pp) for (; *pp; pp++) if (**pp == '/') { s = buf; - strucpy(&s, *pp); + struncpy(&s, *pp, PATH_MAX); *s++ = '/'; if ((s - buf) + strlen(arg0) >= PATH_MAX) continue; diff --git a/Src/utils.c b/Src/utils.c index 391d020..c6eba63 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -2010,10 +2010,10 @@ struncpy(char **s, char *t, int n) { char *u = *s; - while (n--) - *u++ = *t++; + while (n-- && (*u++ = *t++)); *s = u; - *u = '\0'; + if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ + *u = '\0'; } /* Return the number of elements in an array of pointers. * -- 2.14.3 From 88b8110331ac616a8450fab0b87a65df715ee3a8 Mon Sep 17 00:00:00 2001 From: Oliver Kiddle Date: Wed, 28 Mar 2018 09:00:58 +0200 Subject: [PATCH 2/2] 42539: prevent overflow of PATH_MAX-sized buffer in spelling correction Upstream-commit: c053c6a0799397632df9ba88f8812a1da49c67f1 Signed-off-by: Kamil Dudka --- Src/utils.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/Src/utils.c b/Src/utils.c index 3989c8c..bac12a9 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -2010,7 +2010,8 @@ struncpy(char **s, char *t, int n) { char *u = *s; - while (n-- && (*u++ = *t++)); + while (n-- && (*u = *t++)) + u++; *s = u; if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ *u = '\0'; @@ -3745,17 +3746,20 @@ spname(char *oldname) * odd to the human reader, and we may make use of the total * * distance for all corrections at some point in the future. */ if (bestdist < maxthresh) { - strcpy(new, spnameguess); - strcat(new, old); - return newname; + struncpy(&new, spnameguess, sizeof(newname) - (new - newname)); + struncpy(&new, old, sizeof(newname) - (new - newname)); + return (new - newname) >= (sizeof(newname)-1) ? NULL : newname; } else return NULL; } else { maxthresh = bestdist + thresh; bestdist += thisdist; } - for (p = spnamebest; (*new = *p++);) + for (p = spnamebest; (*new = *p++);) { + if ((new - newname) >= (sizeof(newname)-1)) + return NULL; new++; + } } } -- 2.17.2