svn commit: r276100 - stable/9/usr.bin/sed

Pedro F. Giffuni pfg at FreeBSD.org
Tue Dec 23 02:47:15 UTC 2014


Author: pfg
Date: Tue Dec 23 02:47:14 2014
New Revision: 276100
URL: https://svnweb.freebsd.org/changeset/base/276100

Log:
  MFC	r275838;
  sed: Bounds check the file path used in the 'w' command.
  
  Modified version of a diff from Sebastien Marie to prevent a crash found
  with the afl fuzzer.
  
  Obtained from:	OpenBSD (CVS Rev. 1.37)

Modified:
  stable/9/usr.bin/sed/compile.c
Directory Properties:
  stable/9/usr.bin/sed/   (props changed)

Modified: stable/9/usr.bin/sed/compile.c
==============================================================================
--- stable/9/usr.bin/sed/compile.c	Tue Dec 23 02:46:00 2014	(r276099)
+++ stable/9/usr.bin/sed/compile.c	Tue Dec 23 02:47:14 2014	(r276100)
@@ -558,7 +558,7 @@ compile_flags(char *p, struct s_subst *s
 {
 	int gn;			/* True if we have seen g or n */
 	unsigned long nval;
-	char wfile[_POSIX2_LINE_MAX + 1], *q;
+	char wfile[_POSIX2_LINE_MAX + 1], *q, *eq;
 
 	s->n = 1;				/* Default */
 	s->p = 0;
@@ -611,9 +611,12 @@ compile_flags(char *p, struct s_subst *s
 #endif
 			EATSPACE();
 			q = wfile;
+			eq = wfile + sizeof(wfile) - 1;
 			while (*p) {
 				if (*p == '\n')
 					break;
+				if (q >= eq)
+					err(1, "wfile too long");
 				*q++ = *p++;
 			}
 			*q = '\0';


More information about the svn-src-all mailing list