Page MenuHomeFreeBSD

Another try at fixing Coverity 1008328 in /bin/sh
ClosedPublic

Authored by truckman on May 25 2016, 2:00 AM.
Tags
None
Referenced Files
F132039455: D6552.id16834.diff
Mon, Oct 13, 4:04 AM
Unknown Object (File)
Sun, Oct 5, 6:54 AM
Unknown Object (File)
Mon, Sep 15, 10:35 PM
Unknown Object (File)
Aug 18 2025, 5:32 PM
Unknown Object (File)
Aug 4 2025, 6:09 AM
Unknown Object (File)
Jul 31 2025, 3:28 AM
Unknown Object (File)
Jul 27 2025, 7:30 PM
Unknown Object (File)
Jul 25 2025, 9:27 PM
Subscribers

Details

Reviewers
jilles
cem
Commits
rS301571: MFC r301139
Summary

The final possible iteration of the for loop is with i = 126
since the test at the top of the loop is i < PROMPTLEN - 1.
If we take the default case of the switch that handles
*fmt == '\\', we will always take the true branch of the
if (i < PROMPTLEN - 1). That will increment i to 127, and
when we jump back to the top of the loop, i will get incremented
to 128 and we will overflow the ps[] array when storing the
final NUL. Fix this by changing the test in the default case
to (i < PROMPTLEN - 2).

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

truckman retitled this revision from to Another try at fixing Coverity 1008328 in /bin/sh.
truckman updated this object.
truckman edited the test plan for this revision. (Show Details)
truckman added reviewers: jilles, cem.
cem edited edge metadata.
This revision is now accepted and ready to land.May 25 2016, 2:08 AM
This revision was automatically updated to reflect the committed changes.