Fixes a potential buffer overflow with 'ed [MAXPATHLEN + 1 characters]'.

Submitted by: Mike Heffner <spock@techfour.net> Submitted on: audit@freebsd.org
author: joe <joe@FreeBSD.org> 2000-04-30 20:46:14 +0000
committer: joe <joe@FreeBSD.org> 2000-04-30 20:46:14 +0000
commit: 215033019c4785edcd775420cedf5040893a48b8 (patch)
tree: c0c2c61e46acb20d9f7d1009f3a93ec4b4993131 /bin/ed/main.c
parent: 10914aa708815b60d6cf92f058f34b8865d17ba2 (diff)
download: FreeBSD-src-215033019c4785edcd775420cedf5040893a48b8.zip
FreeBSD-src-215033019c4785edcd775420cedf5040893a48b8.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/bin/ed/main.c b/bin/ed/main.c
index 7bff129..b73738d 100644
--- a/bin/ed/main.c
+++ b/bin/ed/main.c
@@ -175,7 +175,9 @@ top:
 			if (read_file(*argv, 0) < 0 && !isatty(0))
 				quit(2);
 			else if (**argv != '!')
-				strcpy(old_filename, *argv);
+				if (strlcpy(old_filename, *argv, sizeof(old_filename))
+				    >= sizeof(old_filename))
+					quit(2);
 		} else if (argc) {
 			fputs("?\n", stderr);
 			if (**argv == '\0')
@@ -1345,8 +1347,8 @@ strip_escapes(s)
 	int i = 0;
 
 	REALLOC(file, filesz, MAXPATHLEN + 1, NULL);
-	/* assert: no trailing escape */
-	while ((file[i++] = (*s == '\\') ? *++s : *s))
+	while (i < filesz - 1	/* Worry about a possible trailing escape */
+	       && (file[i++] = (*s == '\\') ? *++s : *s))
 		s++;
 	return file;
 }
author	joe <joe@FreeBSD.org>	2000-04-30 20:46:14 +0000
committer	joe <joe@FreeBSD.org>	2000-04-30 20:46:14 +0000
commit	215033019c4785edcd775420cedf5040893a48b8 (patch)
tree	c0c2c61e46acb20d9f7d1009f3a93ec4b4993131 /bin/ed/main.c
parent	10914aa708815b60d6cf92f058f34b8865d17ba2 (diff)
download	FreeBSD-src-215033019c4785edcd775420cedf5040893a48b8.zip FreeBSD-src-215033019c4785edcd775420cedf5040893a48b8.tar.gz