Fix two buffer overflows caused by off-by-one errors: avoid writing a null
character 1 byte past the end of cmdline[] when libedit is being used for input, and avoid writing a null pointer 1 element past the end of margv[]. Reviewed by: gad
This commit is contained in:
parent
47ef5b092f
commit
9da9583b7f
@ -186,7 +186,7 @@ cmdscanner(void)
|
|||||||
if ((bp = el_gets(el, &num)) == NULL || num == 0)
|
if ((bp = el_gets(el, &num)) == NULL || num == 0)
|
||||||
quit(0, NULL);
|
quit(0, NULL);
|
||||||
|
|
||||||
len = (num > MAX_CMDLINE) ? MAX_CMDLINE : num;
|
len = (num > MAX_CMDLINE - 1) ? MAX_CMDLINE - 1 : num;
|
||||||
memcpy(cmdline, bp, len);
|
memcpy(cmdline, bp, len);
|
||||||
cmdline[len] = 0;
|
cmdline[len] = 0;
|
||||||
history(hist, &he, H_ENTER, bp);
|
history(hist, &he, H_ENTER, bp);
|
||||||
@ -274,7 +274,7 @@ makeargv(void)
|
|||||||
|
|
||||||
margc = 0;
|
margc = 0;
|
||||||
for (cp = cmdline; *cp && (size_t)(cp - cmdline) < sizeof(cmdline) &&
|
for (cp = cmdline; *cp && (size_t)(cp - cmdline) < sizeof(cmdline) &&
|
||||||
n < MAX_MARGV; n++) {
|
n < MAX_MARGV - 1; n++) {
|
||||||
while (isspace(*cp))
|
while (isspace(*cp))
|
||||||
cp++;
|
cp++;
|
||||||
if (*cp == '\0')
|
if (*cp == '\0')
|
||||||
|
Loading…
x
Reference in New Issue
Block a user