aboutsummaryrefslogtreecommitdiff
path: root/lib/libedit
diff options
context:
space:
mode:
authorJilles Tjoelker <jilles@FreeBSD.org>2019-01-16 21:59:18 +0000
committerJilles Tjoelker <jilles@FreeBSD.org>2019-01-16 21:59:18 +0000
commitfbdcf603c83854762ed772efe26d710e8b2de549 (patch)
treef731e08507b376d24b380806f1d83428b8a48f94 /lib/libedit
parent3ea589979369f0f0043768ec212b95d5404ee11a (diff)
downloadsrc-fbdcf603c83854762ed772efe26d710e8b2de549.tar.gz
src-fbdcf603c83854762ed772efe26d710e8b2de549.zip
libedit: Avoid out of bounds read in 'bind' command
This is CVS revision 1.31 from NetBSD lib/libedit/chartype.c: Make sure that argv is NULL terminated since functions like tty_stty rely on it to be so (Gerry Swinslow) This broke when the wide-character support was enabled in libedit. The conversion from multibyte to wide-character did not supply the apparently expected terminating NULL in the new argv array. PR: 233343 Submitted by: Yuichiro NAITO Obtained from: NetBSD MFC after: 1 week
Notes
Notes: svn path=/head/; revision=343105
Diffstat (limited to 'lib/libedit')
-rw-r--r--lib/libedit/chartype.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/libedit/chartype.c b/lib/libedit/chartype.c
index a695bdc384ec..068a66a2b5cf 100644
--- a/lib/libedit/chartype.c
+++ b/lib/libedit/chartype.c
@@ -157,7 +157,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer_t *conv)
if (ct_conv_wbuff_resize(conv, bufspace + CT_BUFSIZ) == -1)
return NULL;
- wargv = el_malloc((size_t)argc * sizeof(*wargv));
+ wargv = el_malloc((size_t)(argc + 1) * sizeof(*wargv));
for (i = 0, p = conv->wbuff; i < argc; ++i) {
if (!argv[i]) { /* don't pass null pointers to mbstowcs */
@@ -175,6 +175,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer_t *conv)
bufspace -= (size_t)bytes;
p += bytes;
}
+ wargv[i] = NULL;
return wargv;
}