From 3255aed2c4b596b5b9adfd96bb3b8672a89b6f71 Mon Sep 17 00:00:00 2001 From: hyenias <58673227+hyenias@users.noreply.github.com> Date: Thu, 8 Apr 2021 21:47:21 -0400 Subject: [PATCH] lex.c: Fix buffer overflow in debug sh_lex and sh_syntax (#262) fmttoken() needs a minimal char[4] token buffer passed to it. Originally reported by: Jakub Wilk Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879464 The following code lines from fmttoken() yield a n=3 for SYMSEMI as n=1 from the start, e.g. 'for <>;'. case SYMSEMI: if(tok[0]=='<') tok[n++] = '>'; sym = ';'; break; default: sym = 0; } tok[n++] = sym; } tok[n] = 0; n[0]='<' n[1]='>' n[2]=';' n[3]=0 # <-- BUFFER overflow as the passed character buffers have a size of 3 src/cmd/ksh93/sh/lex.c: - DBUG: sh_lex(): Adjust char tokstr[3] to char tokstr[4] - sh_syntax(): Adjust char tokbuf[3] to char tokbuf[4] --- src/cmd/ksh93/sh/lex.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cmd/ksh93/sh/lex.c b/src/cmd/ksh93/sh/lex.c index c9169cf4a..08384e11e 100644 --- a/src/cmd/ksh93/sh/lex.c +++ b/src/cmd/ksh93/sh/lex.c @@ -289,7 +289,7 @@ int sh_lex(Lex_t *lp) Shell_t *shp = lp->sh; register int flag; char *quoted, *macro, *split, *expand; - char tokstr[3]; + char tokstr[4]; register int tok = lextoken(lp); quoted = macro = split = expand = ""; if(tok==0 && (flag=lp->arg->argflag)) @@ -2108,7 +2108,7 @@ noreturn void sh_syntax(Lex_t *lp) register const char *cp = sh_translate(e_unexpected); register char *tokstr; register int tok = lp->token; - char tokbuf[3]; + char tokbuf[4]; Sfio_t *sp; if((tok==EOFSYM) && lp->lasttok) {