Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

PATCH: spelling correction buffer overflow

X-seq: zsh-workers 42539
From: Oliver Kiddle <okiddle@xxxxxxxxxxx>
To: Zsh workers <zsh-workers@xxxxxxx>
Subject: PATCH: spelling correction buffer overflow
Date: Tue, 27 Mar 2018 00:39:55 +0200
Authentication-results: amavisd4.gkg.net (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=yahoo.co.uk
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1522112466; bh=2z4/GKuf2bE2hoy3UjB+0li2CZz5/s3uLoFSKZqTQE8=; h=From:To:Subject:Date:From:Subject; b=EDQfIFU9Yd87C+oz93XOMoyz6e6U2lKtQ9ZRvKXOJ3s8mt0Hzchla+q91fTWQ0TTBbAgsyGSPKwwzZaiQlgR4xeTe9ZFxlzgkwDkbYqvHdHG0tP2Sn72dIRFnXmRa4VOQg5686YEW7ydNHTP9+2Lu7bJKPdjsV3fEafLKFwusIzzevadJyjppToFVfbkj0keI69+gqn6s0GWtWX5Btv8XhZZRncvI03ik6XwddgX8BtpwnETNfJsf9yV9522aSrGL8BsIv36lgIbqN+gkLH9l3Qw+Mrh2XJhRqamfumr+WE+Pj7qYKSEwExZTQzaPSQLIRzTBWpFa/o4qJ5POzVRPQ==
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm

In utils.c:spname(), there's no checking on newname[] for overflows in
two out the of three places where it is appended to.

returning NULL appears to abort the command-line rather than aborting
only correction which is perhaps not ideal but the aim here is not to
corrupt other bits of memory.

This also tweaks the struncpy() function I updated in the earlier patch.

Oliver

diff --git a/Src/utils.c b/Src/utils.c
index 998b16220..9ea34ab54 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -2283,7 +2283,8 @@ struncpy(char **s, char *t, int n)
 {
     char *u = *s;
 
-    while (n-- && (*u++ = *t++));
+    while (n-- && (*u = *t++))
+	u++;
     *s = u;
     if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
 	*u = '\0';
@@ -4420,17 +4421,20 @@ spname(char *oldname)
 	     * odd to the human reader, and we may make use of the total  *
 	     * distance for all corrections at some point in the future.  */
 	    if (bestdist < maxthresh) {
-		strcpy(new, spnameguess);
-		strcat(new, old);
-		return newname;
+		struncpy(&new, spnameguess, sizeof(newname) - (new - newname));
+		struncpy(&new, old, sizeof(newname) - (new - newname));
+		return (new - newname) >= (sizeof(newname)-1) ? NULL : newname;
 	    } else
 	    	return NULL;
 	} else {
 	    maxthresh = bestdist + thresh;
 	    bestdist += thisdist;
 	}
-	for (p = spnamebest; (*new = *p++);)
+	for (p = spnamebest; (*new = *p++);) {
+	    if ((new - newname) >= (sizeof(newname)-1))
+		return NULL;
 	    new++;
+	}
     }
 }

Follow-Ups:
- Re: PATCH: spelling correction buffer overflow
  - From: Kamil Dudka

Messages sorted by: Reverse Date, Date, Thread, Author