d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix two buffer overflows caused by off-by-one errors: avoid writing a null

Browse Source 
character 1 byte past the end of cmdline[] when libedit is being used for
input, and avoid writing a null pointer 1 element past the end of margv[].

Reviewed by:		gad
This commit is contained in:
Tim J. Robbins 2003-10-13 07:24:22 +00:00
parent 1f85f71570
commit 1a7c9b7f5e
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=121065
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
usr.sbin/lpr/lpc/lpc.c
View File

@ -186,7 +186,7 @@ cmdscanner(void)
if ((bp = el_gets(el, &num)) == NULL || num == 0)
quit(0, NULL);
len = (num > MAX_CMDLINE) ? MAX_CMDLINE : num;
len = (num > MAX_CMDLINE - 1) ? MAX_CMDLINE - 1 : num;
memcpy(cmdline, bp, len);
cmdline[len] = 0;
history(hist, &he, H_ENTER, bp);
@ -274,7 +274,7 @@ makeargv(void)
margc = 0;
for (cp = cmdline; *cp && (size_t)(cp - cmdline) < sizeof(cmdline) &&
n < MAX_MARGV; n++) {
n < MAX_MARGV - 1; n++) {
while (isspace(*cp))
cp++;
if (*cp == '\0')