lib/54117: Buffer overflow in editline filename completion

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/54117: Buffer overflow in editline filename completion
From: paavo.helde%perkinelmer.com@localhost
Date: Fri, 12 Apr 2019 12:30:01 +0000 (UTC)

>Number:         54117
>Category:       lib
>Synopsis:       Buffer overflow in editline filename completion
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 12 12:30:00 +0000 2019
>Originator:     Paavo Helde
>Release:        $NetBSD: filecomplete.c,v 1.51 2018/05/04 20:38:26 christos Exp $
>Organization:
PerkinElmer, inc
>Environment:
Linux altair 4.4.104-39-default #1 SMP Thu Jan 4 08:11:03 UTC 2018 (7db1912) x86_64 x86_64 x86_64 GNU/Linux
>Description:
It looks like the buffer allocated for filename completion in escape_filename() in http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libedit/filecomplete.c is too short for 1 byte. Maybe appending the terminating quote is not taken into account.
>How-To-Repeat:
In a program using editline/libedit attempt to complete a filename started with " , for various lengths of the prefix. With our app at least it frequently crashes. valgrind memcheck shows invalid write at line 259 

  escaped_str[offset++] = '"';




>Fix:

After line 215
newlen = original_len + escaped_character_count + 1;

add

if (s_quoted || d_quoted) {
    ++newlen;
}

Prev by Date: Re: port-amd64/54115 (firefox build locks up netbsd-8)
Next by Date: Re: lib/54117 (Buffer overflow in editline filename completion)
Previous by Thread: Re: port-amd64/54115 (firefox build locks up netbsd-8)
Next by Thread: Re: lib/54117 (Buffer overflow in editline filename completion)
Indexes:

Home | Main Index | Thread Index | Old Index