From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 14930 invoked by alias); 27 Mar 2018 01:01:15 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 42539 Received: (qmail 1923 invoked by uid 1010); 27 Mar 2018 01:01:15 -0000 X-Qmail-Scanner-Diagnostics: from park01.gkg.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(205.235.26.22):SA:0(-0.5/5.0):. Processed in 1.451786 secs); 27 Mar 2018 01:01:15 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, NML_ADSP_CUSTOM_MED,RCVD_IN_DNSWL_NONE,SPF_PASS,T_DKIM_INVALID, T_RP_MATCHES_RCVD autolearn=no autolearn_force=no version=3.4.1 X-Envelope-From: SRS0=m+UU=GR=yahoo.co.uk=okiddle@bounces.park01.gkg.net X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | X-Virus-Scanned: by amavisd-new at gkg.net Authentication-Results: amavisd4.gkg.net (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=yahoo.co.uk X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1522112466; bh=2z4/GKuf2bE2hoy3UjB+0li2CZz5/s3uLoFSKZqTQE8=; h=From:To:Subject:Date:From:Subject; b=EDQfIFU9Yd87C+oz93XOMoyz6e6U2lKtQ9ZRvKXOJ3s8mt0Hzchla+q91fTWQ0TTBbAgsyGSPKwwzZaiQlgR4xeTe9ZFxlzgkwDkbYqvHdHG0tP2Sn72dIRFnXmRa4VOQg5686YEW7ydNHTP9+2Lu7bJKPdjsV3fEafLKFwusIzzevadJyjppToFVfbkj0keI69+gqn6s0GWtWX5Btv8XhZZRncvI03ik6XwddgX8BtpwnETNfJsf9yV9522aSrGL8BsIv36lgIbqN+gkLH9l3Qw+Mrh2XJhRqamfumr+WE+Pj7qYKSEwExZTQzaPSQLIRzTBWpFa/o4qJ5POzVRPQ== X-YMail-OSG: pwm06LcVM1m79RHChHQAtySVf3wP9K6r5HthprhHJbC7z9oayiR1HiKdYLX8X5W h1aoyUyOUsmNQW8e214OEBIgkFd8e7V7MZrAbFsBJ3NZ8xw08s21z7YmzQyoZFhr_9YbuL3Y6zWf dVsB_EenoR2yfdBnMYISCUpYRdMXcXks8Z1GxdXgdVhu3Ff6pioEoBROXX74571pwLdlgc4Psfxc GKaAkCllqDdAEsJXjgM8sGlJZsfXe4q06AhCLrrFMCFX8H.8T3o0RSI624dzMnMnNEDOFuwNYoSb efmyjv8N.uGgBoI6uMwiGn7PYFK3zcW7BlTkciwjc8U.5xeUAnvwCQ5MHlXEba.IymsYKBnJHPLO nPMXuZYkabr17RAmc2Mng.cUU4uJzQCnYUkcQBm7j6JkH2OXJUt93wQgG6qRb8KJVt.zoP61zP9m M5fdJ3mgai1bdbwEKzEWphJAWwVwBDqDCAkZ6iz8nPg7Ldx6lqGVBq0mW4Fa.vjpPWdjCWyMpMZy frvkovx_3Cg-- From: Oliver Kiddle To: Zsh workers Subject: PATCH: spelling correction buffer overflow MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3578.1522103995.1@thecus> Date: Tue, 27 Mar 2018 00:39:55 +0200 Message-ID: <3579.1522103995@thecus> In utils.c:spname(), there's no checking on newname[] for overflows in two out the of three places where it is appended to. returning NULL appears to abort the command-line rather than aborting only correction which is perhaps not ideal but the aim here is not to corrupt other bits of memory. This also tweaks the struncpy() function I updated in the earlier patch. Oliver diff --git a/Src/utils.c b/Src/utils.c index 998b16220..9ea34ab54 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -2283,7 +2283,8 @@ struncpy(char **s, char *t, int n) { char *u = *s; - while (n-- && (*u++ = *t++)); + while (n-- && (*u = *t++)) + u++; *s = u; if (n > 0) /* just one null-byte will do, unlike strncpy(3) */ *u = '\0'; @@ -4420,17 +4421,20 @@ spname(char *oldname) * odd to the human reader, and we may make use of the total * * distance for all corrections at some point in the future. */ if (bestdist < maxthresh) { - strcpy(new, spnameguess); - strcat(new, old); - return newname; + struncpy(&new, spnameguess, sizeof(newname) - (new - newname)); + struncpy(&new, old, sizeof(newname) - (new - newname)); + return (new - newname) >= (sizeof(newname)-1) ? NULL : newname; } else return NULL; } else { maxthresh = bestdist + thresh; bestdist += thisdist; } - for (p = spnamebest; (*new = *p++);) + for (p = spnamebest; (*new = *p++);) { + if ((new - newname) >= (sizeof(newname)-1)) + return NULL; new++; + } } }