Fix two buffer overflows caused by off-by-one errors: avoid writing a null

character 1 byte past the end of cmdline[] when libedit is being used for
input, and avoid writing a null pointer 1 element past the end of margv[].

Reviewed by:		gad
This commit is contained in:
tjr 2003-10-13 07:24:22 +00:00
parent 47ef5b092f
commit 9da9583b7f

View File

@ -186,7 +186,7 @@ cmdscanner(void)
if ((bp = el_gets(el, &num)) == NULL || num == 0)
quit(0, NULL);
len = (num > MAX_CMDLINE) ? MAX_CMDLINE : num;
len = (num > MAX_CMDLINE - 1) ? MAX_CMDLINE - 1 : num;
memcpy(cmdline, bp, len);
cmdline[len] = 0;
history(hist, &he, H_ENTER, bp);
@ -274,7 +274,7 @@ makeargv(void)
margc = 0;
for (cp = cmdline; *cp && (size_t)(cp - cmdline) < sizeof(cmdline) &&
n < MAX_MARGV; n++) {
n < MAX_MARGV - 1; n++) {
while (isspace(*cp))
cp++;
if (*cp == '\0')