File CVE-2016-10714.patch of Package zsh.7007

Index: zsh-5.0.5/Src/Zle/compctl.c
===================================================================
--- zsh-5.0.5.orig/Src/Zle/compctl.c
+++ zsh-5.0.5/Src/Zle/compctl.c
@@ -2135,7 +2135,7 @@ gen_matches_files(int dirs, int execs, i
 {
     DIR *d;
     struct stat buf;
-    char *n, p[PATH_MAX], *q = NULL, *e, *pathpref;
+    char *n, p[PATH_MAX+1], *q = NULL, *e, *pathpref;
     LinkList l = NULL;
     int ns = 0, ng = opts[NULLGLOB], test, aw = addwhat, pathpreflen;
 
Index: zsh-5.0.5/Src/builtin.c
===================================================================
--- zsh-5.0.5.orig/Src/builtin.c
+++ zsh-5.0.5/Src/builtin.c
@@ -938,7 +938,7 @@ cd_do_chdir(char *cnam, char *dest, int
      * Normalize path under Cygwin to avoid messing with
      * DOS style names with drives in them
      */
-    static char buf[PATH_MAX];
+    static char buf[PATH_MAX+1];
 #ifdef HAVE_CYGWIN_CONV_PATH
     cygwin_conv_path(CCP_WIN_A_TO_POSIX | CCP_RELATIVE, dest, buf,
 		     PATH_MAX);
Index: zsh-5.0.5/Src/compat.c
===================================================================
--- zsh-5.0.5.orig/Src/compat.c
+++ zsh-5.0.5/Src/compat.c
@@ -270,7 +270,7 @@ zgetdir(struct dirsav *d)
     int len;
 #endif
 
-    buf = zhalloc(bufsiz = PATH_MAX);
+    buf = zhalloc(bufsiz = PATH_MAX+1);
     pos = bufsiz - 1;
     buf[pos] = '\0';
     strcpy(nbuf, "../");
@@ -439,11 +439,11 @@ zgetcwd(void)
 	    free(cwd);
 	}
 #else
-	char *cwdbuf = zalloc(PATH_MAX);
+	char *cwdbuf = zalloc(PATH_MAX+1);
 	ret = getcwd(cwdbuf, PATH_MAX);
 	if (ret)
 	    ret = dupstring(ret);
-	free(cwdbuf);
+	zfree(cwdbuf, PATH_MAX+1);
 #endif /* GETCWD_CALLS_MALLOC */
     }
 #endif /* HAVE_GETCWD */
Index: zsh-5.0.5/Src/exec.c
===================================================================
--- zsh-5.0.5.orig/Src/exec.c
+++ zsh-5.0.5/Src/exec.c
@@ -578,7 +578,7 @@ static void
 execute(LinkList args, int flags, int defpath)
 {
     Cmdnam cn;
-    char buf[MAXCMDLEN], buf2[MAXCMDLEN];
+    char buf[MAXCMDLEN+1], buf2[MAXCMDLEN+1];
     char *s, *z, *arg0;
     char **argv, **pp, **newenvp = NULL;
     int eno = 0, ee;
@@ -659,7 +659,7 @@ execute(LinkList args, int flags, int de
 
     /* for command -p, search the default path */
     if (defpath) {
-	char *s, pbuf[PATH_MAX];
+	char *s, pbuf[PATH_MAX+1];
 	char *dptr, *pe, *ps = DEFAULT_PATH;
 
 	for(;ps;ps = pe ? pe+1 : NULL) {
@@ -696,7 +696,7 @@ execute(LinkList args, int flags, int de
     } else {
 
 	if ((cn = (Cmdnam) cmdnamtab->getnode(cmdnamtab, arg0))) {
-	    char nn[PATH_MAX], *dptr;
+	    char nn[PATH_MAX+1], *dptr;
 
 	    if (cn->node.flags & HASHED)
 		strcpy(nn, cn->u.cmd);
@@ -781,7 +781,7 @@ findcmd(char *arg0, int docopy)
 	    break;
 	}
     if (cn) {
-	char nn[PATH_MAX];
+	char nn[PATH_MAX+1];
 
 	if (cn->node.flags & HASHED)
 	    strcpy(nn, cn->u.cmd);
@@ -862,7 +862,7 @@ mod_export Cmdnam
 hashcmd(char *arg0, char **pp)
 {
     Cmdnam cn;
-    char *s, buf[PATH_MAX];
+    char *s, buf[PATH_MAX+1];
     char **pq;
 
     for (; *pp; pp++)
@@ -4877,7 +4877,7 @@ runshfunc(Eprog prog, FuncWrap wrap, cha
 Eprog
 getfpfunc(char *s, int *ksh, char **fname)
 {
-    char **pp, buf[PATH_MAX];
+    char **pp, buf[PATH_MAX+1];
     off_t len;
     off_t rlen;
     char *d;
@@ -5005,7 +5005,7 @@ cancd(char *s)
     char *t;
 
     if (*s != '/') {
-	char sbuf[PATH_MAX], **cp;
+	char sbuf[PATH_MAX+1], **cp;
 
 	if (cancd2(s))
 	    return s;
Index: zsh-5.0.5/Src/glob.c
===================================================================
--- zsh-5.0.5.orig/Src/glob.c
+++ zsh-5.0.5/Src/glob.c
@@ -267,7 +267,7 @@ addpath(char *s, int l)
 static int
 statfullpath(const char *s, struct stat *st, int l)
 {
-    char buf[PATH_MAX];
+    char buf[PATH_MAX+1];
 
     DPUTS(strlen(s) + !*s + pathpos - pathbufcwd >= PATH_MAX,
 	  "BUG: statfullpath(): pathname too long");
@@ -737,7 +737,7 @@ parsepat(char *str)
 
     /* Now there is no (#X) in front, we can check the path. */
     if (!pathbuf)
-	pathbuf = zalloc(pathbufsz = PATH_MAX);
+	pathbuf = zalloc(pathbufsz = PATH_MAX+1);
     DPUTS(pathbufcwd, "BUG: glob changed directory");
     if (*str == '/') {		/* pattern has absolute path */
 	str++;
Index: zsh-5.0.5/Src/hist.c
===================================================================
--- zsh-5.0.5.orig/Src/hist.c
+++ zsh-5.0.5/Src/hist.c
@@ -1699,7 +1699,7 @@ chrealpath(char **junkptr)
     char *lastpos, *nonreal, *real;
 #else
 # ifdef HAVE_REALPATH
-    char *lastpos, *nonreal, real[PATH_MAX];
+    char *lastpos, *nonreal, real[PATH_MAX+1];
 # endif
 #endif
 
Index: zsh-5.0.5/Src/utils.c
===================================================================
--- zsh-5.0.5.orig/Src/utils.c
+++ zsh-5.0.5/Src/utils.c
@@ -683,7 +683,7 @@ ispwd(char *s)
     return 0;
 }
 
-static char xbuf[PATH_MAX*2];
+static char xbuf[PATH_MAX*2+1];
 
 /**/
 static char **
@@ -723,7 +723,7 @@ static int
 xsymlinks(char *s)
 {
     char **pp, **opp;
-    char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];
+    char xbuf2[PATH_MAX*2+1], xbuf3[PATH_MAX*2+1];
     int t0, ret = 0;
     zulong xbuflen = strlen(xbuf);
 
@@ -916,7 +916,7 @@ finddir(char *s)
 	if(homenode.diff==1)
 	    homenode.diff = 0;
 	if(!finddir_full)
-	    finddir_full = zalloc(ffsz = PATH_MAX);
+	    finddir_full = zalloc(ffsz = PATH_MAX+1);
 	finddir_full[0] = 0;
 	return finddir_last = NULL;
     }
@@ -1414,7 +1414,7 @@ checkmailpath(char **s)
 	} else if (S_ISDIR(st.st_mode)) {
 	    LinkList l;
 	    DIR *lock = opendir(unmeta(*s));
-	    char buf[PATH_MAX * 2], **arr, **ap;
+	    char buf[PATH_MAX * 2 + 1], **arr, **ap;
 	    int ct = 1;
 
 	    if (lock) {
@@ -5820,7 +5820,7 @@ strsfx(char *s, char *t)
 static int
 upchdir(int n)
 {
-    char buf[PATH_MAX];
+    char buf[PATH_MAX+1];
     char *s;
     int err = -1;