Date: Fri, 25 Jan 2019 22:52:49 +0000 (UTC) From: Jilles Tjoelker <jilles@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r343460 - stable/11/lib/libedit Message-ID: <201901252252.x0PMqnQu081374@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jilles Date: Fri Jan 25 22:52:49 2019 New Revision: 343460 URL: https://svnweb.freebsd.org/changeset/base/343460 Log: MFC r343105: libedit: Avoid out of bounds read in 'bind' command This is CVS revision 1.31 from NetBSD lib/libedit/chartype.c: Make sure that argv is NULL terminated since functions like tty_stty rely on it to be so (Gerry Swinslow) This broke when the wide-character support was enabled in libedit. The conversion from multibyte to wide-character did not supply the apparently expected terminating NULL in the new argv array. PR: 233343 Modified: stable/11/lib/libedit/chartype.c Directory Properties: stable/11/ (props changed) Modified: stable/11/lib/libedit/chartype.c ============================================================================== --- stable/11/lib/libedit/chartype.c Fri Jan 25 22:22:29 2019 (r343459) +++ stable/11/lib/libedit/chartype.c Fri Jan 25 22:52:49 2019 (r343460) @@ -157,7 +157,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer if (ct_conv_wbuff_resize(conv, bufspace + CT_BUFSIZ) == -1) return NULL; - wargv = el_malloc((size_t)argc * sizeof(*wargv)); + wargv = el_malloc((size_t)(argc + 1) * sizeof(*wargv)); for (i = 0, p = conv->wbuff; i < argc; ++i) { if (!argv[i]) { /* don't pass null pointers to mbstowcs */ @@ -175,6 +175,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer bufspace -= (size_t)bytes; p += bytes; } + wargv[i] = NULL; return wargv; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201901252252.x0PMqnQu081374>