external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-02-13 19:52:20 +00:00
Code Issues Releases Wiki Activity

lex.c: Fix buffer overflow in debug sh_lex and sh_syntax (#262)

Browse source 
fmttoken() needs a minimal char[4] token buffer passed to it.

Originally reported by: Jakub Wilk <jwilk@jwilk.net>
Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879464

The following code lines from fmttoken() yield a n=3 for SYMSEMI as
n=1 from the start, e.g. 'for <>;'.

        case SYMSEMI:
                if(tok[0]=='<')
                        tok[n++] = '>';
                sym = ';';
                break;
        default:
                sym = 0;
        }
        tok[n++] = sym;
}
tok[n] = 0;

n[0]='<'
n[1]='>'
n[2]=';'
n[3]=0 # <-- BUFFER overflow as the passed character buffers have a size of 3

src/cmd/ksh93/sh/lex.c:
- DBUG: sh_lex(): Adjust char tokstr[3] to char tokstr[4]
- sh_syntax(): Adjust char tokbuf[3] to char tokbuf[4]
This commit is contained in:
hyenias 2021-04-08 21:47:21 -04:00 committed by GitHub
parent a065558291
commit 3255aed2c4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/cmd/ksh93/sh/lex.c
View file

@ -289,7 +289,7 @@ int sh_lex(Lex_t *lp)
Shell_t *shp = lp->sh;
register int flag;
char *quoted, *macro, *split, *expand;
char tokstr[3];
char tokstr[4];
register int tok = lextoken(lp);
quoted = macro = split = expand = "";
if(tok==0 && (flag=lp->arg->argflag))
@ -2108,7 +2108,7 @@ noreturn void sh_syntax(Lex_t *lp)
register const char *cp = sh_translate(e_unexpected);
register char *tokstr;
register int tok = lp->token;
char tokbuf[3];
char tokbuf[4];
Sfio_t *sp;
if((tok==EOFSYM) && lp->lasttok)
{