git: 45764d1d4856 - stable/14 - Tighten boundary check in split(1) to prevent a potential buffer overflow.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 06 May 2024 06:04:08 UTC
The branch stable/14 has been updated by delphij: URL: https://cgit.FreeBSD.org/src/commit/?id=45764d1d4856954fbfc48c11a715fad88821b135 commit 45764d1d4856954fbfc48c11a715fad88821b135 Author: Shawn Bayern <sbayern@law.fsu.edu> AuthorDate: 2024-05-03 07:46:18 +0000 Commit: Xin LI <delphij@FreeBSD.org> CommitDate: 2024-05-06 05:59:08 +0000 Tighten boundary check in split(1) to prevent a potential buffer overflow. (cherry picked from commit 95032b58a1ad0fde57518f17805ca721bb4563ad) --- usr.bin/split/split.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr.bin/split/split.c b/usr.bin/split/split.c index e246a0d4adfc..52374c93efca 100644 --- a/usr.bin/split/split.c +++ b/usr.bin/split/split.c @@ -401,6 +401,10 @@ newfile(void) */ if (!dflag && autosfx && (fpnt[0] == 'y') && strspn(fpnt+1, "z") == strlen(fpnt+1)) { + /* Ensure the generated filenames will fit into the buffer. */ + if (strlen(fname) + 2 >= sizeof(fname)) + errx(EX_USAGE, "combined filenames would be too long"); + fpnt = fname + strlen(fname) - sufflen; fpnt[sufflen + 2] = '\0'; fpnt[0] = end;