From bd05c4b2def7defee3787df24e2cfb9f96900e6c Mon Sep 17 00:00:00 2001
From: Oliver Kiddle <okiddle@yahoo.co.uk>
Date: Sat, 7 Apr 2018 12:48:31 +0200
Subject: 42595: remove dead code flagged by coverity

---
 Src/utils.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'Src/utils.c')

diff --git a/Src/utils.c b/Src/utils.c
index 3587c3622..c544b81bf 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -2486,9 +2486,7 @@ zstrtoul_underscore(const char *s, zulong *retval)
 	base = 2, s++;
     else
 	base = isset(OCTALZEROES) ? 8 : 10;
-    if (base < 2 || base > 36) {
-	return 0;
-    } else if (base <= 10) {
+    if (base <= 10) {
 	for (; (*s >= '0' && *s < ('0' + base)) ||
 		 *s == '_'; s++) {
 	    if (*s == '_')
-- 
cgit v1.2.3


From 31f72205630687c1cef89347863aab355296a27f Mon Sep 17 00:00:00 2001
From: Oliver Kiddle <okiddle@yahoo.co.uk>
Date: Sat, 7 Apr 2018 18:28:38 +0200
Subject: 42607, CVE-2018-1100: check bounds on buffer in mail checking

---
 ChangeLog   | 3 +++
 Src/utils.c | 8 +++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

(limited to 'Src/utils.c')

diff --git a/ChangeLog b/ChangeLog
index 60ec155d7..2cc699b67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,8 @@
 2018-04-07  Oliver Kiddle  <okiddle@yahoo.co.uk>
 
+	* 42607, CVE-2018-1100: Src/utils.c: check bounds on buffer
+	in mail checking
+
 	* 42600: Src/Zle/computil.c: error paths for _values leaked
 	the exclusion list array
 
diff --git a/Src/utils.c b/Src/utils.c
index c544b81bf..180693d67 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -1653,7 +1653,7 @@ checkmailpath(char **s)
 	    LinkList l;
 	    DIR *lock = opendir(unmeta(*s));
 	    char buf[PATH_MAX * 2 + 1], **arr, **ap;
-	    int ct = 1;
+	    int buflen, ct = 1;
 
 	    if (lock) {
 		char *fn;
@@ -1662,9 +1662,11 @@ checkmailpath(char **s)
 		l = newlinklist();
 		while ((fn = zreaddir(lock, 1)) && !errflag) {
 		    if (u)
-			sprintf(buf, "%s/%s?%s", *s, fn, u);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s?%s", *s, fn, u);
 		    else
-			sprintf(buf, "%s/%s", *s, fn);
+			buflen = snprintf(buf, sizeof(buf), "%s/%s", *s, fn);
+		    if (buflen < 0 || buflen >= (int)sizeof(buf))
+			continue;
 		    addlinknode(l, dupstring(buf));
 		    ct++;
 		}
-- 
cgit v1.2.3