Fix two buffer overflows caused by off-by-one errors: avoid writing a null
character 1 byte past the end of cmdline[] when libedit is being used for input, and avoid writing a null pointer 1 element past the end of margv[]. Reviewed by: gad
This commit is contained in:
parent
47ef5b092f
commit
9da9583b7f
@ -186,7 +186,7 @@ cmdscanner(void)
|
||||
if ((bp = el_gets(el, &num)) == NULL || num == 0)
|
||||
quit(0, NULL);
|
||||
|
||||
len = (num > MAX_CMDLINE) ? MAX_CMDLINE : num;
|
||||
len = (num > MAX_CMDLINE - 1) ? MAX_CMDLINE - 1 : num;
|
||||
memcpy(cmdline, bp, len);
|
||||
cmdline[len] = 0;
|
||||
history(hist, &he, H_ENTER, bp);
|
||||
@ -274,7 +274,7 @@ makeargv(void)
|
||||
|
||||
margc = 0;
|
||||
for (cp = cmdline; *cp && (size_t)(cp - cmdline) < sizeof(cmdline) &&
|
||||
n < MAX_MARGV; n++) {
|
||||
n < MAX_MARGV - 1; n++) {
|
||||
while (isspace(*cp))
|
||||
cp++;
|
||||
if (*cp == '\0')
|
||||
|
Loading…
Reference in New Issue
Block a user