On Wed, Dec 10, 2014 at 11:16:21AM +0100, Sébastien Marie wrote:
> Hi,
>
> In compile_flags, the variable holding the filename ('w' flag of 's'
> command) is an array with PATH_MAX length.
>
> We should check the size of wanted filename, before copying it in wfile.
>
> $ echo | sed -e s/a//w`perl -e "print '_' x 10000"`
> Bus error (core dumped)
>
> Found also with afl-fuzz.
>
Here a new patch that check the file len while copying.
--
Sébastien Marie
Index: compile.c
===================================================================
RCS file: /cvs/src/usr.bin/sed/compile.c,v
retrieving revision 1.36
diff -u -p -r1.36 compile.c
--- compile.c 8 Oct 2014 04:19:08 -0000 1.36
+++ compile.c 10 Dec 2014 10:41:23 -0000
@@ -587,6 +587,8 @@ compile_flags(char *p, struct s_subst *s
while (*p) {
if (*p == '\n')
break;
+ if (q - wfile + 1 >= sizeof(wfile))
+ err(COMPILE, "wfile too long");
*q++ = *p++;
}
*q = '\0';
