Fixes a potential buffer overflow with 'ed [MAXPATHLEN + 1 characters]'.

Submitted by: Mike Heffner <spock@techfour.net> Submitted on: audit@freebsd.org
2000-04-30 20:46:14 +00:00 · 2000-04-30 20:46:14 +00:00 · 2ef72bc152
commit 2ef72bc152
parent 2c9b67a8df
1 changed files with 5 additions and 3 deletions
--- a/bin/ed/main.c
+++ b/bin/ed/main.c
@ -175,7 +175,9 @@ main(argc, argv)
 			if (read_file(*argv, 0) < 0 && !isatty(0))
 				quit(2);
 			else if (**argv != '!')
-				strcpy(old_filename, *argv);
+				if (strlcpy(old_filename, *argv, sizeof(old_filename))
+				    >= sizeof(old_filename))
+					quit(2);
 		} else if (argc) {
 			fputs("?\n", stderr);
 			if (**argv == '\0')
@ -1345,8 +1347,8 @@ strip_escapes(s)
 	int i = 0;

 	REALLOC(file, filesz, MAXPATHLEN + 1, NULL);
-	/* assert: no trailing escape */
-	while ((file[i++] = (*s == '\\') ? *++s : *s))
+	while (i < filesz - 1	/* Worry about a possible trailing escape */
+	       && (file[i++] = (*s == '\\') ? *++s : *s))
 		s++;
 	return file;
 }