NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

lib/54117: Buffer overflow in editline filename completion

>Number:         54117
>Category:       lib
>Synopsis:       Buffer overflow in editline filename completion
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 12 12:30:00 +0000 2019
>Originator:     Paavo Helde
>Release:        $NetBSD: filecomplete.c,v 1.51 2018/05/04 20:38:26 christos Exp $
PerkinElmer, inc
Linux altair 4.4.104-39-default #1 SMP Thu Jan 4 08:11:03 UTC 2018 (7db1912) x86_64 x86_64 x86_64 GNU/Linux
It looks like the buffer allocated for filename completion in escape_filename() in is too short for 1 byte. Maybe appending the terminating quote is not taken into account.
In a program using editline/libedit attempt to complete a filename started with " , for various lengths of the prefix. With our app at least it frequently crashes. valgrind memcheck shows invalid write at line 259 

  escaped_str[offset++] = '"';


After line 215
newlen = original_len + escaped_character_count + 1;


if (s_quoted || d_quoted) {

Home | Main Index | Thread Index | Old Index