diff options
| author | Mikael Magnusson <mikachu@gmail.com> | 2026-05-08 17:37:52 +0200 |
|---|---|---|
| committer | Mikael Magnusson <mikachu@gmail.com> | 2026-05-16 18:28:27 +0200 |
| commit | fe5cbe71f019d96aa2a1cc314846df684a01d0db (patch) | |
| tree | 33f880318096cfd7a2e9faf1cfc03173d0c6b2c7 | |
| parent | 54537: Coverity CID 1372427 buffer overrun in zexecve() (diff) | |
| download | zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.gz zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.bz2 zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.lz zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.xz zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.zst zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.zip | |
54538: Coverity CID 1637382 bsiz can overflow when reading a large heredoc
Use a size_t and explicit size check, although presumably the realloc
will fail long before we get to this point. In theory if we did, though,
the code would loop forever with bsiz==0 which wouldn't be great.
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | Src/exec.c | 5 |
2 files changed, 6 insertions, 2 deletions
@@ -1,5 +1,8 @@ 2026-05-16 Mikael Magnusson <mikachu@gmail.com> + * 54538: Src/exec.c: Coverity CID 1637382 bsiz can overflow when + reading a large heredoc + * 54537: Src/exec.c: Coverity CID 1372427 buffer overrun in zexecve() diff --git a/Src/exec.c b/Src/exec.c index 7ea669f35..2c730b910 100644 --- a/Src/exec.c +++ b/Src/exec.c @@ -4574,7 +4574,8 @@ char * gethere(char **strp, int typ) { char *buf; - int bsiz, qt = 0, strip = 0; + int qt = 0, strip = 0; + size_t bsiz; char *s, *t, *bptr, c; char *str = *strp; @@ -4601,7 +4602,7 @@ gethere(char **strp, int typ) if (bptr >= buf + bsiz - 2) { ptrdiff_t toff = t - buf; ptrdiff_t bptroff = bptr - buf; - char *newbuf = realloc(buf, 2 * bsiz); + char *newbuf = (bsiz <= SIZE_MAX / 2 ) ? realloc(buf, 2 * bsiz) : NULL; if (!newbuf) { /* out of memory */ zfree(buf, bsiz); |