mined: fix buffer overflow in input()

input() is used to accept filenames when saving, regular
expressions when searching, and other input. It writes
the characters into buffers such as file and exp_buf and
others which are of length LINE_LEN.

To prevent writing beyond the end of the intended buffer,
truncate the input at LINE_LEN - 1 and ensure that the
string is NULL terminated.

Change-Id: I142baa8cfae38bdd7fa648d86559d6d9b8e7a7fd

diff --git a/minix/usr.bin/mined/mined1.c b/minix/usr.bin/mined/mined1.c
index bcc8447a99d18c84e531c12b158e0ea9b08935cb..aa9909b41f4388e2a07478ac52b3d13c58db2b11 100644 (file)
--- a/minix/usr.bin/mined/mined1.c
+++ b/minix/usr.bin/mined/mined1.c
@@ -1694,6 +1694,9 @@ int input(char *inbuf, FLAG clearfl)
                        }
                        else
                                ring_bell();
+
+                       if (ptr - inbuf >= LINE_LEN - 1)
+                               return FINE;
        }
   }
   quit = FALSE;