Skip to content

Buffer overrun with conditionals in custom prompt #358

New issue
New issue
Closed
Closed
Buffer overrun with conditionals in custom prompt#358
@gwsw

Description

@gwsw
gwsw
opened on Apr 4, 2023

skipcond() can overrun the string passed to it, and access bytes beyond the end of the string.

At the top of the loop, p is supposed to point to the character before the one about to be handled. At the top of the loop, p should never point to the null byte at the end of a string. In that case, p is incremented to point to the char beyond the end of the string, and the switch is evaluated based on that bad character.

To verify, apply this patch:

diff --git a/prompt.c b/prompt.c
index 6d63a4b..6098d1c 100644
--- a/prompt.c
+++ b/prompt.c
@@ -391,7 +391,9 @@ static constant char * skipcond(constant char *p)
     */
    iflevel = 1;
 
-   for (;;) switch (*++p)
+   for (;;) {
+if (*p == '\0') abort();
+   switch (*++p)
    {
    case '?':
        /*
@@ -431,6 +433,7 @@ static constant char * skipcond(constant char *p)
         */
        return (p-1);
    }
+   }
    /*NOTREACHED*/
 }

This aborts when invoked as less '-P?f\' </dev/null.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions