From e5855e8ab52767d9deb6723e0903be85cdb38e3e Mon Sep 17 00:00:00 2001 From: Thomas Cort Date: Tue, 22 Dec 2015 03:07:01 +0000 Subject: [PATCH] mined: fix buffer overflow in input() input() is used to accept filenames when saving, regular expressions when searching, and other input. It writes the characters into buffers such as file and exp_buf and others which are of length LINE_LEN. To prevent writing beyond the end of the intended buffer, truncate the input at LINE_LEN - 1 and ensure that the string is NULL terminated. Change-Id: I142baa8cfae38bdd7fa648d86559d6d9b8e7a7fd --- minix/usr.bin/mined/mined1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/minix/usr.bin/mined/mined1.c b/minix/usr.bin/mined/mined1.c index bcc8447a9..aa9909b41 100644 --- a/minix/usr.bin/mined/mined1.c +++ b/minix/usr.bin/mined/mined1.c @@ -1694,6 +1694,9 @@ int input(char *inbuf, FLAG clearfl) } else ring_bell(); + + if (ptr - inbuf >= LINE_LEN - 1) + return FINE; } } quit = FALSE;