From fbdcf603c83854762ed772efe26d710e8b2de549 Mon Sep 17 00:00:00 2001 From: Jilles Tjoelker Date: Wed, 16 Jan 2019 21:59:18 +0000 Subject: [PATCH] libedit: Avoid out of bounds read in 'bind' command This is CVS revision 1.31 from NetBSD lib/libedit/chartype.c: Make sure that argv is NULL terminated since functions like tty_stty rely on it to be so (Gerry Swinslow) This broke when the wide-character support was enabled in libedit. The conversion from multibyte to wide-character did not supply the apparently expected terminating NULL in the new argv array. PR: 233343 Submitted by: Yuichiro NAITO Obtained from: NetBSD MFC after: 1 week --- lib/libedit/chartype.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/libedit/chartype.c b/lib/libedit/chartype.c index a695bdc384e..068a66a2b5c 100644 --- a/lib/libedit/chartype.c +++ b/lib/libedit/chartype.c @@ -157,7 +157,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer_t *conv) if (ct_conv_wbuff_resize(conv, bufspace + CT_BUFSIZ) == -1) return NULL; - wargv = el_malloc((size_t)argc * sizeof(*wargv)); + wargv = el_malloc((size_t)(argc + 1) * sizeof(*wargv)); for (i = 0, p = conv->wbuff; i < argc; ++i) { if (!argv[i]) { /* don't pass null pointers to mbstowcs */ @@ -175,6 +175,7 @@ ct_decode_argv(int argc, const char *argv[], ct_buffer_t *conv) bufspace -= (size_t)bytes; p += bytes; } + wargv[i] = NULL; return wargv; }