Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

[PATCH] Fix off-by-one write in paramsubst()

X-seq: zsh-workers 39579
From: Julien Cretin <zsh@xxxxxx>
To: zsh-workers@xxxxxxx
Subject: [PATCH] Fix off-by-one write in paramsubst()
Date: Thu, 6 Oct 2016 11:36:32 +0200
Cc: Julien Cretin <zsh@xxxxxx>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm

When post is null, which may happen when quotetype is
QT_SINGLE_OPTIONAL, and isarr is true, the terminating null character
is written outside the allocated space.
---
 Src/subst.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Src/subst.c b/Src/subst.c
index ecd7487..4471774 100644
--- a/Src/subst.c
+++ b/Src/subst.c
@@ -3629,7 +3629,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
 			if (pre)
 			    ap[0][pre - 1] = ap[0][pre + sl] =
 				(quotetype != QT_DOUBLE ? '\'' : '"');
-			ap[0][pre + sl + 1] = '\0';
+			ap[0][pre + sl + post] = '\0';
 			if (quotetype == QT_DOLLARS)
 			  ap[0][0] = '$';
 		    }
@@ -3667,12 +3667,12 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags,
 		    char *tmp;
 		    tmp = quotestring(val, quotetype);
 		    sl = strlen(tmp);
-		    val = (char *) zhalloc(pre + sl + 2);
+		    val = (char *) zhalloc(pre + sl + post + 1);
 		    strcpy(val + pre, tmp);
 		    if (pre)
 			val[pre - 1] = val[pre + sl] =
 			    (quotetype != QT_DOUBLE ? '\'' : '"');
-		    val[pre + sl + 1] = '\0';
+		    val[pre + sl + post] = '\0';
 		    if (quotetype == QT_DOLLARS)
 		      val[0] = '$';
 		} else
-- 
2.7.4

Messages sorted by: Reverse Date, Date, Thread, Author