Overview

File bsc1083002.patch of Package zsh.23099

commit c7a9cf465dd620ef48d586026944d9bd7a0d5d6d
Author: Peter Stephenson <pws@zsh.org>
Date:   Tue May 9 17:49:18 2017 +0100

    40181: Fix buffer overrun in xsymlinks.
    
    There was no check for copying to the internal xbuf2 for a
    preliminary test.

Index: zsh-5.0.5/Src/utils.c
===================================================================
--- zsh-5.0.5.orig/Src/utils.c
+++ zsh-5.0.5/Src/utils.c
@@ -725,7 +725,7 @@ xsymlinks(char *s)
     char **pp, **opp;
     char xbuf2[PATH_MAX*2+1], xbuf3[PATH_MAX*2+1];
     int t0, ret = 0;
-    zulong xbuflen = strlen(xbuf);
+    zulong xbuflen = strlen(xbuf), pplen;
 
     opp = pp = slashsplit(s);
     for (; xbuflen < sizeof(xbuf) && *pp; pp++) {
@@ -744,10 +744,18 @@ xsymlinks(char *s)
 	    *p = '\0';
 	    continue;
 	}
-	sprintf(xbuf2, "%s/%s", xbuf, *pp);
+	/* Includes null byte. */
+	pplen = strlen(*pp) + 1;
+	if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
+	    *xbuf = 0;
+	    ret = -1;
+	    break;
+	}
+	memcpy(xbuf2, xbuf, xbuflen);
+	xbuf2[xbuflen] = '/';
+	memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
 	t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
 	if (t0 == -1) {
-	    zulong pplen = strlen(*pp) + 1;
 	    if ((xbuflen += pplen) < sizeof(xbuf)) {
 		strcat(xbuf, "/");
 		strcat(xbuf, *pp);
openSUSE Build Service is sponsored by
Places