48 lines
1.6 KiB
Diff
48 lines
1.6 KiB
Diff
From 78c87b3f3b359fac5401f81a86dd9e2f5968220e Mon Sep 17 00:00:00 2001
|
|
From: Pino Toscano <ptoscano@redhat.com>
|
|
Date: Thu, 19 Jul 2018 15:43:21 +0200
|
|
Subject: [PATCH] * src/augtool.c: fix access to invalid memory
|
|
|
|
When stripping the context from the result, readline_path_generator used
|
|
to realloc the string to a shorter size, copying only the content after
|
|
the prefix. This resulted in reading with strcpy from the previous
|
|
memory, which is freed already. Avoid the issue, and simplify the code
|
|
by using strdup, freeing the old string.
|
|
|
|
This issue could be reproduced in augtool, trying to autocomplete files
|
|
without the /files prefix, e.g.:
|
|
augtool> ls <TAB><TAB>
|
|
|
|
(cherry picked from commit 05b5784b2029f198ea486738d33fb7b49ef23eb8)
|
|
---
|
|
src/augtool.c | 10 ++++------
|
|
1 file changed, 4 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/augtool.c b/src/augtool.c
|
|
index ff097bd9..2745812c 100644
|
|
--- a/src/augtool.c
|
|
+++ b/src/augtool.c
|
|
@@ -153,15 +153,13 @@ static char *readline_path_generator(const char *text, int state) {
|
|
|
|
/* strip off context if the user didn't give it */
|
|
if (ctx != NULL) {
|
|
- char *c = realloc(child, strlen(child)-strlen(ctx)+1);
|
|
- if (c == NULL) {
|
|
- free(child);
|
|
- return NULL;
|
|
- }
|
|
int ctxidx = strlen(ctx);
|
|
if (child[ctxidx] == SEP)
|
|
ctxidx++;
|
|
- strcpy(c, &child[ctxidx]);
|
|
+ char *c = strdup(&child[ctxidx]);
|
|
+ free(child);
|
|
+ if (c == NULL)
|
|
+ return NULL;
|
|
child = c;
|
|
}
|
|
|
|
--
|
|
2.17.2
|
|
|