emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sed: prevent overflow of length from bb_get_chunk_from_file

Browse Source 
This fragment did not work right:

                temp = bb_get_chunk_from_file(fp, &len);
                if (temp) {
                        /* len > 0 here, it's ok to do temp[len-1] */
                        char c = temp[len-1];

With "int len" _sign-extending_, temp[len-1] can refer to a wrong location
if len > 0x7fffffff.

Signed-off-by: Quentin Rameau <quinq@fifth.space>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Quentin Rameau
2018-04-01 19:49:58 +02:00
committed by Denys Vlasenko
parent 2da9724b56
commit e2afae6303
3 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
editors/sed.c
View File

@@ -988,7 +988,7 @@ static void flush_append(char *last_puts_char)
static char *get_next_line(char *gets_char, char *last_puts_char)
{
char *temp = NULL;
int len;
size_t len;
char gc;
flush_append(last_puts_char);