diff options
author | Josef Karthauser <joe@FreeBSD.org> | 2000-04-30 20:46:14 +0000 |
---|---|---|
committer | Josef Karthauser <joe@FreeBSD.org> | 2000-04-30 20:46:14 +0000 |
commit | 2ef72bc15297f15397596873c4e2babaf6a02e55 (patch) | |
tree | 514162c17e761d33d7757a328e8ff0a1114b8e40 /bin/ed/main.c | |
parent | 2c9b67a8dfbc9f24504866e4f3861ac4db4702ce (diff) | |
download | src-2ef72bc15297f15397596873c4e2babaf6a02e55.tar.gz src-2ef72bc15297f15397596873c4e2babaf6a02e55.zip |
Fixes a potential buffer overflow with 'ed [MAXPATHLEN + 1 characters]'.
Submitted by: Mike Heffner <spock@techfour.net>
Submitted on: audit@freebsd.org
Notes
Notes:
svn path=/head/; revision=59797
Diffstat (limited to 'bin/ed/main.c')
-rw-r--r-- | bin/ed/main.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/bin/ed/main.c b/bin/ed/main.c index 7bff1297900a..b73738dc30cd 100644 --- a/bin/ed/main.c +++ b/bin/ed/main.c @@ -175,7 +175,9 @@ top: if (read_file(*argv, 0) < 0 && !isatty(0)) quit(2); else if (**argv != '!') - strcpy(old_filename, *argv); + if (strlcpy(old_filename, *argv, sizeof(old_filename)) + >= sizeof(old_filename)) + quit(2); } else if (argc) { fputs("?\n", stderr); if (**argv == '\0') @@ -1345,8 +1347,8 @@ strip_escapes(s) int i = 0; REALLOC(file, filesz, MAXPATHLEN + 1, NULL); - /* assert: no trailing escape */ - while ((file[i++] = (*s == '\\') ? *++s : *s)) + while (i < filesz - 1 /* Worry about a possible trailing escape */ + && (file[i++] = (*s == '\\') ? *++s : *s)) s++; return file; } |