mirror of
git://git.code.sf.net/p/zsh/code
synced 2025-09-03 22:32:12 +02:00
42518, CVE-2018-1071: check bounds when copying path in hashcmd()
This commit is contained in:
parent
beadc29214
commit
679b71ec4d
3 changed files with 9 additions and 4 deletions
|
@ -1,3 +1,8 @@
|
|||
2018-03-24 Oliver Kiddle <okiddle@yahoo.co.uk>
|
||||
|
||||
* 42518, CVE-2018-1071: Src/exec.c, Src/utils.c:
|
||||
check bounds when copying path in hashcmd()
|
||||
|
||||
2018-03-24 Jun-ichi Takimoto <takimoto-j@kba.biglobe.ne.jp>
|
||||
|
||||
* 42501: Src/Zle/complete.c, Src/Zle/computil.c,
|
||||
|
|
|
@ -934,7 +934,7 @@ hashcmd(char *arg0, char **pp)
|
|||
for (; *pp; pp++)
|
||||
if (**pp == '/') {
|
||||
s = buf;
|
||||
strucpy(&s, *pp);
|
||||
struncpy(&s, *pp, PATH_MAX);
|
||||
*s++ = '/';
|
||||
if ((s - buf) + strlen(arg0) >= PATH_MAX)
|
||||
continue;
|
||||
|
|
|
@ -2283,10 +2283,10 @@ struncpy(char **s, char *t, int n)
|
|||
{
|
||||
char *u = *s;
|
||||
|
||||
while (n--)
|
||||
*u++ = *t++;
|
||||
while (n-- && (*u++ = *t++));
|
||||
*s = u;
|
||||
*u = '\0';
|
||||
if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
|
||||
*u = '\0';
|
||||
}
|
||||
|
||||
/* Return the number of elements in an array of pointers. *
|
||||
|
|
Loading…
Reference in a new issue