From ef31660ff2318df0a18dcdf721883a6a75d6e58a Mon Sep 17 00:00:00 2001 From: Thomas Cort Date: Tue, 22 Dec 2015 03:07:01 +0000 Subject: [PATCH] mined: fix buffer overflow in input() input() is used to accept filenames when saving, regular expressions when searching, and other input. It writes the characters into buffers such as file and exp_buf and others which are of length LINE_LEN. To prevent writing beyond the end of the intended buffer, truncate the input at LINE_LEN - 1 and ensure that the string is NULL terminated. Change-Id: I142baa8cfae38bdd7fa648d86559d6d9b8e7a7fd --- minix/usr.bin/mined/mined1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/minix/usr.bin/mined/mined1.c b/minix/usr.bin/mined/mined1.c index bcc8447a9..aa9909b41 100644 --- a/minix/usr.bin/mined/mined1.c +++ b/minix/usr.bin/mined/mined1.c @@ -1694,6 +1694,9 @@ int input(char *inbuf, FLAG clearfl) } else ring_bell(); + + if (ptr - inbuf >= LINE_LEN - 1) + return FINE; } } quit = FALSE; -- 2.44.0