On Wed, Dec 10, 2014 at 11:46:57AM +0100, Sébastien Marie wrote:
> On Wed, Dec 10, 2014 at 11:16:21AM +0100, Sébastien Marie wrote:
> > Hi,
> >
> > In compile_flags, the variable holding the filename ('w' flag of 's'
> > command) is an array with PATH_MAX length.
> >
> > We should check the size of wanted filename, before copying it in wfile.
> >
> > $ echo | sed -e s/a//w`perl -e "print '_' x 10000"`
> > Bus error (core dumped)
> >
> > Found also with afl-fuzz.
> >
>
> Here a new patch that check the file len while copying.
Something like this came up with the recent deroff change.
Perhaps make the comparison with two pointers like the
fix millert@ committed for that?
Index: compile.c
===================================================================
RCS file: /cvs/src/usr.bin/sed/compile.c,v
retrieving revision 1.36
diff -u -p -r1.36 compile.c
--- compile.c 8 Oct 2014 04:19:08 -0000 1.36
+++ compile.c 10 Dec 2014 11:18:14 -0000
@@ -538,7 +538,7 @@ compile_flags(char *p, struct s_subst *s
{
int gn; /* True if we have seen g or n */
long l;
- char wfile[PATH_MAX], *q;
+ char wfile[PATH_MAX], *q, *eq;
s->n = 1; /* Default */
s->p = 0;
@@ -584,9 +584,12 @@ compile_flags(char *p, struct s_subst *s
#endif
EATSPACE();
q = wfile;
+ eq = wfile + sizeof(wfile) - 1;
while (*p) {
if (*p == '\n')
break;
+ if (q + 1 >= eq)
+ err(COMPILE, "wfile too long");
*q++ = *p++;
}
*q = '\0';
