From eed7b9226ff81b9d6be6203c30b92beb2b6f77aa Mon Sep 17 00:00:00 2001 From: se Date: Thu, 14 Feb 2019 15:41:05 +0000 Subject: [PATCH] MFC r343479: Fix potential buffer overflow and undefined behavior. The buffer allocated in read_chat() could be 1 element too short, if the chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b"). The allocation of the pointer array does not account for the terminating NULL pointer in that case. Overlapping source and destination strings are undefined in strcpy(). Instead of moving a string to the left by one character just increment the char pointer before it is assigned to the results array. --- libexec/getty/chat.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libexec/getty/chat.c b/libexec/getty/chat.c index 4817c977ce1..fce31cde60b 100644 --- a/libexec/getty/chat.c +++ b/libexec/getty/chat.c @@ -141,7 +141,7 @@ read_chat(char **chatstr) int l; if ((l=strlen(str)) > 0 && (tmp=malloc(l + 1)) != NULL && - (res=malloc((l / 2 + 1) * sizeof(char *))) != NULL) { + (res=malloc(((l + 1) / 2 + 1) * sizeof(char *))) != NULL) { static char ws[] = " \t"; char * p; @@ -216,7 +216,7 @@ read_chat(char **chatstr) q = strrchr(p+1, *p); if (q != NULL && *q == *p && q[1] == '\0') { *q = '\0'; - strcpy(p, p+1); + p++; } } -- 2.45.0