edit.c: fix out of bounds write in output buffer

When allocating the output buffer, the pointer to the last byte, ep->e_outlast, is set to one past the end of the buffer. This can cause an out of bounds write in ed_putbyte()/ed_putchar() while setting the terminating zero byte. Fix this by setting it to the last byte of the buffer instead.
ksh93 · Jan 8, 2025 · e5c1a73 · e5c1a73
1 parent 63c7571
commit e5c1a73
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/cmd/ksh93/edit/edit.c b/src/cmd/ksh93/edit/edit.c
@@ -535,13 +535,13 @@ void	ed_setup(Edit_t *ep, int fd, int reedit)
 		if(!buff)
 			buff = (char*)sh_malloc(MAXLINE);
 		ep->e_outbase = ep->e_outptr = buff;
-		ep->e_outlast = ep->e_outptr + MAXLINE;
+		ep->e_outlast = ep->e_outptr + MAXLINE - 1;
 		return;
 	}
 	qlen = sfset(sfstderr,SFIO_READ,0);
 	/* make sure SFIO_READ not on */
 	ep->e_outbase = ep->e_outptr = (char*)sfreserve(sfstderr,SFIO_UNBOUND,SFIO_LOCKR);
-	ep->e_outlast = ep->e_outptr + sfvalue(sfstderr);
+	ep->e_outlast = ep->e_outptr + sfvalue(sfstderr) - 1;
 	if(qlen)
 		sfset(sfstderr,SFIO_READ,1);
 	sfwrite(sfstderr,ep->e_outptr,0);