* [PATCH] Fix off-by-one write in paramsubst()
@ 2016-10-06 9:36 Julien Cretin
0 siblings, 0 replies; only message in thread
From: Julien Cretin @ 2016-10-06 9:36 UTC (permalink / raw)
To: zsh-workers; +Cc: Julien Cretin
When post is null, which may happen when quotetype is
QT_SINGLE_OPTIONAL, and isarr is true, the terminating null character
is written outside the allocated space.
---
Src/subst.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Src/subst.c b/Src/subst.c
index ecd7487..4471774 100644
--- a/Src/subst.c
+++ b/Src/subst.c
@@ -3629,7 +3629,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
if (pre)
ap[0][pre - 1] = ap[0][pre + sl] =
(quotetype != QT_DOUBLE ? '\'' : '"');
- ap[0][pre + sl + 1] = '\0';
+ ap[0][pre + sl + post] = '\0';
if (quotetype == QT_DOLLARS)
ap[0][0] = '$';
}
@@ -3667,12 +3667,12 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
char *tmp;
tmp = quotestring(val, quotetype);
sl = strlen(tmp);
- val = (char *) zhalloc(pre + sl + 2);
+ val = (char *) zhalloc(pre + sl + post + 1);
strcpy(val + pre, tmp);
if (pre)
val[pre - 1] = val[pre + sl] =
(quotetype != QT_DOUBLE ? '\'' : '"');
- val[pre + sl + 1] = '\0';
+ val[pre + sl + post] = '\0';
if (quotetype == QT_DOLLARS)
val[0] = '$';
} else
--
2.7.4
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-10-06 9:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-06 9:36 [PATCH] Fix off-by-one write in paramsubst() Julien Cretin
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).