https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 Commit [259ac4] Maximize History 42519, CVE-2018-1083: check bounds on PATH_MAX-sized buffer used for file completion candidates --- a/Src/Zle/compctl.c +++ b/Src/Zle/compctl.c @@ -2176,6 +2176,8 @@ if (prpre && *prpre) { pathpref = dupstring(prpre); unmetafy(pathpref, &pathpreflen); + if (pathpreflen > PATH_MAX) + return; /* system needs NULL termination, not provided by unmetafy */ pathpref[pathpreflen] = '\0'; } else { @@ -2218,6 +2220,8 @@ * the path buffer by appending the filename. */ ums = dupstring(n); unmetafy(ums, ¨en); + if (umlen + pathpreflen + 1 > PATH_MAX) + continue; memcpy(q, ums, umlen); q[umlen] = '\0'; /* And do the stat. */ @@ -2232,6 +2236,8 @@ /* We have to test for a path suffix. */ int o = strlen(p), tt; + if (o + strlen(psuf) > PATH_MAX) + continue; /* Append it to the path buffer. */ strcpy(p + o, psuf);