From ca7c69f009bf0e13b2c7cbb02310f7c322ee12a0 Mon Sep 17 00:00:00 2001
From: Oliver Kiddle <okiddle@yahoo.co.uk>
Date: Sat, 24 Mar 2018 15:04:39 +0100
Subject: [PATCH] 42519, CVE-2018-1083: check bounds on PATH_MAX-sized
buffer used for file completion candidates
Upstream-commit: 259ac472eac291c8c103c7a0d8a4eaf3c2942ed7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
Src/Zle/compctl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/Src/Zle/compctl.c b/Src/Zle/compctl.c
index 5414b8f..29649ac 100644
--- a/Src/Zle/compctl.c
+++ b/Src/Zle/compctl.c
@@ -2176,6 +2176,8 @@ gen_matches_files(int dirs, int execs, int all)
if (prpre && *prpre) {
pathpref = dupstring(prpre);
unmetafy(pathpref, &pathpreflen);
+ if (pathpreflen > PATH_MAX)
+ return;
/* system needs NULL termination, not provided by unmetafy */
pathpref[pathpreflen] = '\0';
} else {
@@ -2218,6 +2220,8 @@ gen_matches_files(int dirs, int execs, int all)
* the path buffer by appending the filename. */
ums = dupstring(n);
unmetafy(ums, ¨en);
+ if (umlen + pathpreflen + 1 > PATH_MAX)
+ continue;
memcpy(q, ums, umlen);
q[umlen] = '\0';
/* And do the stat. */
@@ -2232,6 +2236,8 @@ gen_matches_files(int dirs, int execs, int all)
/* We have to test for a path suffix. */
int o = strlen(p), tt;
+ if (o + strlen(psuf) > PATH_MAX)
+ continue;
/* Append it to the path buffer. */
strcpy(p + o, psuf);
--
2.14.3