diff options
| author | Mikael Magnusson <mikachu@gmail.com> | 2026-05-08 17:37:52 +0200 |
|---|---|---|
| committer | Mikael Magnusson <mikachu@gmail.com> | 2026-05-16 18:28:27 +0200 |
| commit | fe5cbe71f019d96aa2a1cc314846df684a01d0db (patch) | |
| tree | 33f880318096cfd7a2e9faf1cfc03173d0c6b2c7 /Src/exec.c | |
| parent | 54537: Coverity CID 1372427 buffer overrun in zexecve() (diff) | |
| download | zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.gz zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.bz2 zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.lz zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.xz zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.tar.zst zsh-fe5cbe71f019d96aa2a1cc314846df684a01d0db.zip | |
54538: Coverity CID 1637382 bsiz can overflow when reading a large heredoc
Use a size_t and explicit size check, although presumably the realloc
will fail long before we get to this point. In theory if we did, though,
the code would loop forever with bsiz==0 which wouldn't be great.
Diffstat (limited to 'Src/exec.c')
| -rw-r--r-- | Src/exec.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/Src/exec.c b/Src/exec.c index 7ea669f35..2c730b910 100644 --- a/Src/exec.c +++ b/Src/exec.c @@ -4574,7 +4574,8 @@ char * gethere(char **strp, int typ) { char *buf; - int bsiz, qt = 0, strip = 0; + int qt = 0, strip = 0; + size_t bsiz; char *s, *t, *bptr, c; char *str = *strp; @@ -4601,7 +4602,7 @@ gethere(char **strp, int typ) if (bptr >= buf + bsiz - 2) { ptrdiff_t toff = t - buf; ptrdiff_t bptroff = bptr - buf; - char *newbuf = realloc(buf, 2 * bsiz); + char *newbuf = (bsiz <= SIZE_MAX / 2 ) ? realloc(buf, 2 * bsiz) : NULL; if (!newbuf) { /* out of memory */ zfree(buf, bsiz); |