diff options
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | Src/Zle/compctl.c | 6 |
2 files changed, 9 insertions, 0 deletions
@@ -1,5 +1,8 @@ 2018-03-24 Oliver Kiddle <okiddle@yahoo.co.uk> + * 42519, CVE-2018-1083: Src/Zle/compctl.c: check bounds on + PATH_MAX-sized buffer used for file completion candidates + * 42518, CVE-2018-1071: Src/exec.c, Src/utils.c: check bounds when copying path in hashcmd() diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c index e9d165780..87d13afc1 100644 --- a/Src/Zle/compctl.c +++ b/Src/Zle/compctl.c @@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all) if (prpre && *prpre) { pathpref = dupstring(prpre); unmetafy(pathpref, &pathpreflen); + if (pathpreflen > PATH_MAX) + return; /* system needs NULL termination, not provided by unmetafy */ pathpref[pathpreflen] = '\0'; } else { @@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all) * the path buffer by appending the filename. */ ums = dupstring(n); unmetafy(ums, ¨en); + if (umlen + pathpreflen + 1 > PATH_MAX) + continue; memcpy(q, ums, umlen); q[umlen] = '\0'; /* And do the stat. */ @@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all) /* We have to test for a path suffix. */ int o = strlen(p), tt; + if (o + strlen(psuf) > PATH_MAX) + continue; /* Append it to the path buffer. */ strcpy(p + o, psuf); |