summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ChangeLog3
-rw-r--r--Src/utils.c8
2 files changed, 8 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 60ec155d7..2cc699b67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
2018-04-07 Oliver Kiddle <okiddle@yahoo.co.uk>
+ * 42607, CVE-2018-1100: Src/utils.c: check bounds on buffer
+ in mail checking
+
* 42600: Src/Zle/computil.c: error paths for _values leaked
the exclusion list array
diff --git a/Src/utils.c b/Src/utils.c
index c544b81bf..180693d67 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1653,7 +1653,7 @@ checkmailpath(char **s)
LinkList l;
DIR *lock = opendir(unmeta(*s));
char buf[PATH_MAX * 2 + 1], **arr, **ap;
- int ct = 1;
+ int buflen, ct = 1;
if (lock) {
char *fn;
@@ -1662,9 +1662,11 @@ checkmailpath(char **s)
l = newlinklist();
while ((fn = zreaddir(lock, 1)) && !errflag) {
if (u)
- sprintf(buf, "%s/%s?%s", *s, fn, u);
+ buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
else
- sprintf(buf, "%s/%s", *s, fn);
+ buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+ if (buflen < 0 || buflen >= (int)sizeof(buf))
+ continue;
addlinknode(l, dupstring(buf));
ct++;
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-08 15:42:47 +0000