42518, CVE-2018-1071: check bounds when copying path in hashcmd()

2025-09-24 17:21:08 +02:00 · 2018-03-24 15:02:41 +01:00 · 2018-03-24 15:02:41 +01:00 · 679b71ec4d
commit 679b71ec4d
parent beadc29214
3 changed files with 9 additions and 4 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+2018-03-24  Oliver Kiddle  <okiddle@yahoo.co.uk>
+
+	* 42518, CVE-2018-1071: Src/exec.c, Src/utils.c:
+	check bounds when copying path in hashcmd()
+
 2018-03-24  Jun-ichi Takimoto <takimoto-j@kba.biglobe.ne.jp>

 	* 42501: Src/Zle/complete.c, Src/Zle/computil.c,
--- a/Src/exec.c
+++ b/Src/exec.c
@ -934,7 +934,7 @@ hashcmd(char *arg0, char **pp)
    for (; *pp; pp++)
 	if (**pp == '/') {
 	    s = buf;
-	    strucpy(&s, *pp);
+	    struncpy(&s, *pp, PATH_MAX);
 	    *s++ = '/';
 	    if ((s - buf) + strlen(arg0) >= PATH_MAX)
 		continue;
--- a/Src/utils.c
+++ b/Src/utils.c
@ -2283,10 +2283,10 @@ struncpy(char **s, char *t, int n)
 {
    char *u = *s;

-    while (n--)
-	*u++ = *t++;
+    while (n-- && (*u++ = *t++));
    *s = u;
-    *u = '\0';
+    if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
+	*u = '\0';
 }

 /* Return the number of elements in an array of pointers. *