From: Marek Behún marek.behun@nic.cz
There is a possible overflow in env_match(): if environment contains a terminating null-byte before '=' character (i.e. environment is broken), the env_match() function can access data after the terminating null-byte from parameter pointer.
Example: if env_get_char() returns characters from string array "abc\0def\0" and env_match("abc", 0) is called, the function will access at least one byte after the end of the "abc" literal.
Signed-off-by: Marek Behún marek.behun@nic.cz --- cmd/nvedit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/nvedit.c b/cmd/nvedit.c index e2e8a38b5d..a516491832 100644 --- a/cmd/nvedit.c +++ b/cmd/nvedit.c @@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2) if (s1 == NULL || *s1 == '\0') return -1;
- while (*s1 == env_get_char(i2++)) + while (*s1 != '\0' && *s1 == env_get_char(i2++)) if (*s1++ == '=') return i2;