Fix possible out-of-bounds write in xec.c:iousepipe (rhbz#1506344)

Discussion/analysis: https://bugzilla.redhat.com/1506344 iousepipe() might write out of bounds, causing a crash, if subpipe[2] is set to a value >= sh.gd.lim.open_max. src/cmd/ksh93/sh/xec.c: iousepipe(): - Validate the FD using sh_iovalidfd() before the write.
ksh93 · Sep 29, 2020 · 1477b5f · 1477b5f
1 parent 9094171
commit 1477b5f
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/src/cmd/ksh93/sh/xec.c b/src/cmd/ksh93/sh/xec.c
@@ -170,6 +170,7 @@ static int iousepipe(Shell_t *shp)
 		return(1);
 	}
 	subpipe[2] = sh_fcntl(fd,F_dupfd_cloexec,10);
+	sh_iovalidfd(shp,subpipe[2]);
 	shp->fdstatus[subpipe[2]] = shp->fdstatus[1];
 	while(close(fd)<0 && errno==EINTR)
 		errno = err;