Don't overflow buffers, and only open alternative termcap files if we're

not running setuid or setgid. Fixes PR 2586 Submitted by: Julian Assange
1997-03-24 06:41:30 +00:00 · 1997-03-24 06:41:30 +00:00 · a464de694f
commit a464de694f
parent c4b2481493
2 changed files with 8 additions and 2 deletions
--- a/lib/libtermcap/pathnames.h
+++ b/lib/libtermcap/pathnames.h
@ -34,3 +34,4 @@
 */

 #define	_PATH_DEF	".termcap /usr/share/misc/termcap"
+#define	_PATH_DEF_SEC	"/usr/share/misc/termcap"
--- a/lib/libtermcap/termcap.c
+++ b/lib/libtermcap/termcap.c
@ -105,8 +105,9 @@ tgetent(char *bp, const char *name)
 			strncpy(pathbuf, termpath, PBUFSIZ);
 		else {
 			if ( (home = getenv("HOME")) ) {/* set up default */
-				p += strlen(home);	/* path, looking in */
-				strcpy(pathbuf, home);	/* $HOME first */
+				strncpy(pathbuf, home, PBUFSIZ - 1); /* $HOME first */
+				pathbuf[PBUFSIZ - 2] = '\0'; /* -2 because we add a slash */
+				p += strlen(pathbuf);	/* path, looking in */
 				*p++ = '/';
 			}	/* if no $HOME look in current directory */
 			strncpy(p, _PATH_DEF, PBUFSIZ - (p - pathbuf));
@ -114,7 +115,11 @@ tgetent(char *bp, const char *name)
 	}
 	else				/* user-defined name in TERMCAP */
 		strncpy(pathbuf, cp, PBUFSIZ);	/* still can be tokenized */
+	pathbuf[PBUFSIZ - 1] = '\0';

+	/* XXX Should really be issetguid(), but we don't have that */
+	if (getuid() != geteuid() || getgid() != getegid())
+		strcpy(pathbuf, _PATH_DEF_SEC);
 	*fname++ = pathbuf;	/* tokenize path into vector of names */
 	while (*++p)
 		if (*p == ' ' || *p == ':') {