svn commit: r343479 - head/libexec/getty

[Stefan Esser]

Author: se
Date: Sat Jan 26 20:43:28 2019
New Revision: 343479
URL: https://svnweb.freebsd.org/changeset/base/343479

Log:
  Fix potential buffer overflow and undefined behavior.
  
  The buffer allocated in read_chat() could be 1 element too short, if the
  chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b").
  The allocation of the pointer array does not account for the terminating
  NULL pointer in that case.
  
  Overlapping source and destination strings are undefined in strcpy().
  Instead of moving a string to the left by one character just increment the
  char pointer before it is assigned to the results array.
  
  MFC after:	2 weeks

Modified:
  head/libexec/getty/chat.c

Modified: head/libexec/getty/chat.c
==============================================================================
--- head/libexec/getty/chat.c	Sat Jan 26 18:23:19 2019	(r343478)
+++ head/libexec/getty/chat.c	Sat Jan 26 20:43:28 2019	(r343479)
@@ -141,7 +141,7 @@ read_chat(char **chatstr)
 		int l;
 
 		if ((l=strlen(str)) > 0 && (tmp=malloc(l + 1)) != NULL &&
-		    (res=malloc((l / 2 + 1) * sizeof(char *))) != NULL) {
+		    (res=malloc(((l + 1) / 2 + 1) * sizeof(char *))) != NULL) {
 			static char ws[] = " \t";
 			char * p;
 
@@ -216,7 +216,7 @@ read_chat(char **chatstr)
 					q = strrchr(p+1, *p);
 					if (q != NULL && *q == *p && q[1] == '\0') {
 						*q = '\0';
-						strcpy(p, p+1);
+						p++;
 					}
 				}