netbsd-bugs: bin/33699: segfault in ed (patch)

Subject: bin/33699: segfault in ed (patch)
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <hypnosses@pulltheplug.org>
List: netbsd-bugs
Date: 06/11/2006 04:30:00
>Number:         33699
>Category:       bin
>Synopsis:       segfault in ed (patch)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 11 04:30:00 +0000 2006
>Originator:     Kevin Massey
>Release:        
>Organization:
None
>Environment:
>Description:
 ed segfaults with large string
>How-To-Repeat:
ed `perl -e 'print "a" x 999'`
>Fix:
Index: main.c
===================================================================
RCS file: /cvsroot/src/bin/ed/main.c,v
retrieving revision 1.17
diff -u -r1.17 main.c
--- main.c      26 Jun 2005 19:10:49 -0000      1.17
+++ main.c      9 Jun 2006 19:25:03 -0000
@@ -177,7 +177,7 @@
                        if (read_file(*argv, 0) < 0 && !isatty(0))
                                quit(2);
                        else if (**argv != '!')
-                               strcpy(old_filename, *argv);
+                               strlcpy(old_filename, *argv, MAXPATHLEN - 1);
                } else if (argc) {
                        fputs("?\n", stderr);
                        if (**argv == '\0')
@@ -510,7 +510,7 @@
                        return ERR;
                else if (open_sbuf() < 0)
                        return FATAL;
-               if (*fnp && *fnp != '!') strcpy(old_filename, fnp);
+               if (*fnp && *fnp != '!') strlcpy(old_filename, fnp,
MAXPATHLEN - 1);
 #ifdef BACKWARDS
                if (*fnp == '\0' && *old_filename == '\0') {
                        sprintf(errmsg, "no current filename");
@@ -537,7 +537,7 @@
                        return ERR;
                }
                GET_COMMAND_SUFFIX();
-               if (*fnp) strcpy(old_filename, fnp);
+               if (*fnp) strlcpy(old_filename, fnp, MAXPATHLEN - 1);
                printf("%s\n", strip_escapes(old_filename));
                break;
        case 'g':
@@ -668,7 +668,7 @@
                GET_COMMAND_SUFFIX();
                if (!isglobal) clear_undo_stack();
                if (*old_filename == '\0' && *fnp != '!')
-                       strcpy(old_filename, fnp);
+                       strlcpy(old_filename, fnp, MAXPATHLEN - 1);
 #ifdef BACKWARDS
                if (*fnp == '\0' && *old_filename == '\0') {
                        sprintf(errmsg, "no current filename");
@@ -802,7 +802,7 @@
                        return ERR;
                GET_COMMAND_SUFFIX();
                if (*old_filename == '\0' && *fnp != '!')
-                       strcpy(old_filename, fnp);
+                       strlcpy(old_filename, fnp,MAXPATHLEN - 1);
 #ifdef BACKWARDS
                if (*fnp == '\0' && *old_filename == '\0') {
                        sprintf(errmsg, "no current filename");