git: 45764d1d4856 - stable/14 - Tighten boundary check in split(1) to prevent a potential buffer overflow.

From: Xin LI <delphij_at_FreeBSD.org>
Date: Mon, 06 May 2024 06:04:08 UTC
The branch stable/14 has been updated by delphij:

URL: https://cgit.FreeBSD.org/src/commit/?id=45764d1d4856954fbfc48c11a715fad88821b135

commit 45764d1d4856954fbfc48c11a715fad88821b135
Author:     Shawn Bayern <sbayern@law.fsu.edu>
AuthorDate: 2024-05-03 07:46:18 +0000
Commit:     Xin LI <delphij@FreeBSD.org>
CommitDate: 2024-05-06 05:59:08 +0000

    Tighten boundary check in split(1) to prevent a potential buffer overflow.
    
    (cherry picked from commit 95032b58a1ad0fde57518f17805ca721bb4563ad)
---
 usr.bin/split/split.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/usr.bin/split/split.c b/usr.bin/split/split.c
index e246a0d4adfc..52374c93efca 100644
--- a/usr.bin/split/split.c
+++ b/usr.bin/split/split.c
@@ -401,6 +401,10 @@ newfile(void)
 	 */
 	if (!dflag && autosfx && (fpnt[0] == 'y') &&
 			strspn(fpnt+1, "z") == strlen(fpnt+1)) {
+		/* Ensure the generated filenames will fit into the buffer. */
+		if (strlen(fname) + 2 >= sizeof(fname))
+			errx(EX_USAGE, "combined filenames would be too long");
+
 		fpnt = fname + strlen(fname) - sufflen;
 		fpnt[sufflen + 2] = '\0';
 		fpnt[0] = end;