Uninitialized strcpy in spname() for long strings

Uninitialized strcpy in spname() for long strings

[Wayne Davison]

[-- Attachment #1: Type: text/plain, Size: 974 bytes --]

I was testing a really long command-line arg to a program, and zsh
kept either prompting me for a corrupted correction, or crashing.
Turns out that the spname() function has a problem in it where a
really long path component (whether it really is or not) can cause the
thresh value to be larger than the maximum distance value that
mindist() can return, which causes spname() to copy an uninitialized
buffer (spnamebest).  Several possible fixes come to mind:

 - Set thresh to a maximum of 100, so the ">=" check will not think
mindist() succeeded when it failed.

 - Skip the call to mindist() if the length of the string is greater
than NAME_MAX.  At that max length, thresh can't be larger than the
maximal dist return (100 > 255/4+1).

Some combination of the two.

I'm attaching the simplest of the two changes which avoids the copying
of uninitialized memory.  I'll check this in, and if anyone wants to
tweak it further, feel free.

..wayne..

[-- Attachment #2: uninitialized-copy.patch --]
[-- Type: text/x-patch, Size: 448 bytes --]

index 9857303..22bffa2 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -3684,6 +3684,8 @@ spname(char *oldname)
 	thresh = (int)(p - spnameguess) / 4 + 1;
 	if (thresh < 3)
 	    thresh = 3;
+	else if (thresh > 100)
+	    thresh = 100;
 	if ((thisdist = mindist(newname, spnameguess, spnamebest)) >= thresh) {
 	    /* The next test is always true, except for the first path    *
 	     * component.  We could initialize bestdist to some large     *