diff options
author | Jilles Tjoelker <jilles@FreeBSD.org> | 2019-01-16 21:59:18 +0000 |
---|---|---|
committer | Jilles Tjoelker <jilles@FreeBSD.org> | 2019-01-16 21:59:18 +0000 |
commit | fbdcf603c83854762ed772efe26d710e8b2de549 (patch) | |
tree | f731e08507b376d24b380806f1d83428b8a48f94 /lib/libedit | |
parent | 3ea589979369f0f0043768ec212b95d5404ee11a (diff) | |
download | src-test-fbdcf603c83854762ed772efe26d710e8b2de549.tar.gz src-test-fbdcf603c83854762ed772efe26d710e8b2de549.zip |
libedit: Avoid out of bounds read in 'bind' command
This is CVS revision 1.31 from NetBSD lib/libedit/chartype.c:
Make sure that argv is NULL terminated since functions like tty_stty rely
on it to be so (Gerry Swinslow)
This broke when the wide-character support was enabled in libedit. The
conversion from multibyte to wide-character did not supply the apparently
expected terminating NULL in the new argv array.
PR: 233343
Submitted by: Yuichiro NAITO
Obtained from: NetBSD
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=343105
Diffstat (limited to 'lib/libedit')
-rw-r--r-- | lib/libedit/chartype.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/libedit/chartype.c b/lib/libedit/chartype.c index a695bdc384ecf..068a66a2b5cfb 100644 --- a/lib/libedit/chartype.c +++ b/lib/libedit/chartype.c @@ -157,7 +157,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer_t *conv) if (ct_conv_wbuff_resize(conv, bufspace + CT_BUFSIZ) == -1) return NULL; - wargv = el_malloc((size_t)argc * sizeof(*wargv)); + wargv = el_malloc((size_t)(argc + 1) * sizeof(*wargv)); for (i = 0, p = conv->wbuff; i < argc; ++i) { if (!argv[i]) { /* don't pass null pointers to mbstowcs */ @@ -175,6 +175,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer_t *conv) bufspace -= (size_t)bytes; p += bytes; } + wargv[i] = NULL; return wargv; } |