diff options
author | joe <joe@FreeBSD.org> | 2000-04-30 20:46:14 +0000 |
---|---|---|
committer | joe <joe@FreeBSD.org> | 2000-04-30 20:46:14 +0000 |
commit | 215033019c4785edcd775420cedf5040893a48b8 (patch) | |
tree | c0c2c61e46acb20d9f7d1009f3a93ec4b4993131 /bin/ed | |
parent | 10914aa708815b60d6cf92f058f34b8865d17ba2 (diff) | |
download | FreeBSD-src-215033019c4785edcd775420cedf5040893a48b8.zip FreeBSD-src-215033019c4785edcd775420cedf5040893a48b8.tar.gz |
Fixes a potential buffer overflow with 'ed [MAXPATHLEN + 1 characters]'.
Submitted by: Mike Heffner <spock@techfour.net>
Submitted on: audit@freebsd.org
Diffstat (limited to 'bin/ed')
-rw-r--r-- | bin/ed/main.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/bin/ed/main.c b/bin/ed/main.c index 7bff129..b73738d 100644 --- a/bin/ed/main.c +++ b/bin/ed/main.c @@ -175,7 +175,9 @@ top: if (read_file(*argv, 0) < 0 && !isatty(0)) quit(2); else if (**argv != '!') - strcpy(old_filename, *argv); + if (strlcpy(old_filename, *argv, sizeof(old_filename)) + >= sizeof(old_filename)) + quit(2); } else if (argc) { fputs("?\n", stderr); if (**argv == '\0') @@ -1345,8 +1347,8 @@ strip_escapes(s) int i = 0; REALLOC(file, filesz, MAXPATHLEN + 1, NULL); - /* assert: no trailing escape */ - while ((file[i++] = (*s == '\\') ? *++s : *s)) + while (i < filesz - 1 /* Worry about a possible trailing escape */ + && (file[i++] = (*s == '\\') ? *++s : *s)) s++; return file; } |