[src/trunk]: src/lib/libedit From Yuichiro Naito (FreeBSD):

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/276a77f81b9d
branches:  trunk
changeset: 446166:276a77f81b9d
user:      christos <christos%NetBSD.org@localhost>
date:      Sun Nov 25 16:21:04 2018 +0000

description:
>From Yuichiro Naito (FreeBSD):

hrs@ says that
(cbp >= MB_LEN_MAX) condition is necessary for checking invalid
byte sequences.  If malicious input was given, libedit would read
byte sequences forever.

diffstat:

 lib/libedit/read.c |  9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diffs (30 lines):

diff -r 0bcada31d938 -r 276a77f81b9d lib/libedit/read.c
--- a/lib/libedit/read.c        Sun Nov 25 16:20:28 2018 +0000
+++ b/lib/libedit/read.c        Sun Nov 25 16:21:04 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: read.c,v 1.104 2018/11/18 17:09:39 christos Exp $      */
+/*     $NetBSD: read.c,v 1.105 2018/11/25 16:21:04 christos Exp $      */
 
 /*-
  * Copyright (c) 1992, 1993
@@ -37,7 +37,7 @@
 #if 0
 static char sccsid[] = "@(#)read.c     8.1 (Berkeley) 6/4/93";
 #else
-__RCSID("$NetBSD: read.c,v 1.104 2018/11/18 17:09:39 christos Exp $");
+__RCSID("$NetBSD: read.c,v 1.105 2018/11/25 16:21:04 christos Exp $");
 #endif
 #endif /* not lint && not SCCSID */
 
@@ -335,6 +335,11 @@
                                goto again;
                        }
                case (size_t)-2:
+                       if (cbp >= MB_LEN_MAX) {
+                               errno = EILSEQ;
+                               *cp = L'\0';
+                               return -1;
+                       }
                        /* Incomplete sequence, read another byte. */
                        goto again;
                default: