d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

libedit: Avoid out of bounds read in 'bind' command

Browse Source 
This is CVS revision 1.31 from NetBSD lib/libedit/chartype.c:
Make sure that argv is NULL terminated since functions like tty_stty rely
on it to be so (Gerry Swinslow)

This broke when the wide-character support was enabled in libedit. The
conversion from multibyte to wide-character did not supply the apparently
expected terminating NULL in the new argv array.

PR:		233343
Submitted by:	Yuichiro NAITO
Obtained from:	NetBSD
MFC after:	1 week
This commit is contained in:
jilles 2019-01-16 21:59:18 +00:00
parent 407b0bb118
commit 3cc6d2d75d
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/libedit/chartype.c
View File

@ -157,7 +157,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer_t *conv)
if (ct_conv_wbuff_resize(conv, bufspace + CT_BUFSIZ) == -1)
return NULL;
wargv = el_malloc((size_t)argc * sizeof(*wargv));
wargv = el_malloc((size_t)(argc + 1) * sizeof(*wargv));
for (i = 0, p = conv->wbuff; i < argc; ++i) {
if (!argv[i]) { /* don't pass null pointers to mbstowcs */
@ -175,6 +175,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer_t *conv)
bufspace -= (size_t)bytes;
p += bytes;
}
wargv[i] = NULL;
return wargv;
}