From cd969e8908ddd59accc5f84f19dcac20c82645d8 Mon Sep 17 00:00:00 2001 From: Karel Zak Date: Wed, 23 Jun 2021 11:37:31 +0200 Subject: [PATCH] more: fix null-pointer dereference The command allows executing arbitrary shell commands while viewing a file by entering '!' followed by the command. Entering a command that contains a '%', '!', or '\' causes a segmentation violation. The same more(1) function has a problem when not file is specified (cat /etc/passwd | more) on command line. Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1975153 Signed-off-by: Karel Zak --- text-utils/more.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/text-utils/more.c b/text-utils/more.c index 3f45d1114..e2898e52f 100644 --- a/text-utils/more.c +++ b/text-utils/more.c @@ -1113,13 +1113,18 @@ static void expand(struct more_control *ctl, char *inbuf) char *outstr; char c; char *temp; - int tempsz, xtra, offset; + int tempsz, xtra = 0, offset; + + if (!ctl->no_tty_in) + xtra += strlen(ctl->file_names[ctl->argv_position]) + 1; + if (ctl->shell_line) + xtra += strlen(ctl->shell_line) + 1; - xtra = strlen(ctl->file_names[ctl->argv_position]) + strlen(ctl->shell_line) + 1; tempsz = COMMAND_BUF + xtra; temp = xmalloc(tempsz); inpstr = inbuf; outstr = temp; + while ((c = *inpstr++) != '\0') { offset = outstr - temp; if (tempsz - offset - 1 < xtra) {