diff options
| author |   jsg <jsg@openbsd.org> | 2014-12-12 05:00:55 +0000 |
|---|---|---|
| committer | jsg <jsg@openbsd.org> | 2014-12-12 05:00:55 +0000 |
| commit | 6bcb7e1679bbed939400ca6f776635fea746ab0d (patch) | |
| tree | 606da5bcc34e042eb7f9eb34204bea23241830e2 | |
| parent | Bounds check the file path used in the 'w' command. Modified version (diff) | |
| download | wireguard-openbsd-6bcb7e1679bbed939400ca6f776635fea746ab0d.tar.xz wireguard-openbsd-6bcb7e1679bbed939400ca6f776635fea746ab0d.zip | |
Range check the value of the base for typeset -i base x=y. Instead of
erroring for values outside of the range switch to base 10 to match the
behaviour of ksh93. As we have a smaller digit alphabet than ksh93 the
accepted range is smaller (2-36) than ksh93 (2-64). The other form
of setting a base, typeset -i x=base#y already has a range check that
errors (as ksh93 also does for that syntax).
Fixes a crash found with the afl fuzzer.
| -rw-r--r-- | bin/ksh/var.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/bin/ksh/var.c b/bin/ksh/var.c index 82ea76f71c5..540adc1caa0 100644 --- a/bin/ksh/var.c +++ b/bin/ksh/var.c @@ -1,4 +1,4 @@ -/* $OpenBSD: var.c,v 1.39 2014/12/08 21:48:27 deraadt Exp $ */ +/* $OpenBSD: var.c,v 1.40 2014/12/12 05:00:55 jsg Exp $ */ #include "sh.h" #include <time.h> @@ -309,6 +309,8 @@ str_val(struct tbl *vp) else n = (vp->val.i < 0) ? -vp->val.i : vp->val.i; base = (vp->type == 0) ? 10 : vp->type; + if (base < 2 || base > strlen(digits)) + base = 10; *--s = '\0'; do { |