Date: Wed, 16 Jan 2019 21:59:19 +0000 (UTC) From: Jilles Tjoelker <jilles@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r343105 - head/lib/libedit Message-ID: <201901162159.x0GLxJaA031321@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jilles Date: Wed Jan 16 21:59:18 2019 New Revision: 343105 URL: https://svnweb.freebsd.org/changeset/base/343105 Log: libedit: Avoid out of bounds read in 'bind' command This is CVS revision 1.31 from NetBSD lib/libedit/chartype.c: Make sure that argv is NULL terminated since functions like tty_stty rely on it to be so (Gerry Swinslow) This broke when the wide-character support was enabled in libedit. The conversion from multibyte to wide-character did not supply the apparently expected terminating NULL in the new argv array. PR: 233343 Submitted by: Yuichiro NAITO Obtained from: NetBSD MFC after: 1 week Modified: head/lib/libedit/chartype.c Modified: head/lib/libedit/chartype.c ============================================================================== --- head/lib/libedit/chartype.c Wed Jan 16 21:13:50 2019 (r343104) +++ head/lib/libedit/chartype.c Wed Jan 16 21:59:18 2019 (r343105) @@ -157,7 +157,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer if (ct_conv_wbuff_resize(conv, bufspace + CT_BUFSIZ) == -1) return NULL; - wargv = el_malloc((size_t)argc * sizeof(*wargv)); + wargv = el_malloc((size_t)(argc + 1) * sizeof(*wargv)); for (i = 0, p = conv->wbuff; i < argc; ++i) { if (!argv[i]) { /* don't pass null pointers to mbstowcs */ @@ -175,6 +175,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer bufspace -= (size_t)bytes; p += bytes; } + wargv[i] = NULL; return wargv; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201901162159.x0GLxJaA031321>