Hi,
In compile_flags, the variable holding the filename ('w' flag of 's'
command) is an array with PATH_MAX length.
We should check the size of wanted filename, before copying it in wfile.
$ echo | sed -e s/a//w`perl -e "print '_' x 10000"`
Bus error (core dumped)
Found also with afl-fuzz.
Thanks.
--
Sébastien Marie
Index: compile.c
===================================================================
RCS file: /cvs/src/usr.bin/sed/compile.c,v
retrieving revision 1.36
diff -u -p -r1.36 compile.c
--- compile.c 8 Oct 2014 04:19:08 -0000 1.36
+++ compile.c 10 Dec 2014 10:03:51 -0000
@@ -582,6 +582,8 @@ compile_flags(char *p, struct s_subst *s
return (p);
}
#endif
+ if (strnlen(p, PATH_MAX) == PATH_MAX)
+ err(COMPILE, "wfile too long");
EATSPACE();
q = wfile;
while (*p) {
