From 67ccb0444a64ca650a6e446a3d120d69a537c573 Mon Sep 17 00:00:00 2001 From: William Bader Date: Thu, 22 Oct 2020 22:55:28 +0000 Subject: fix for CVE-2019-19917 and CVE-2019-19918 The one in StringQuotedWord was more complicated because it was due to a string longer than MAX_BUFF, and when I fixed the access there, other places had errors. The one in srcnext needed only an extra test in a loop. I tested the manual in doc/user before and after, and the only differences seemed to be places that embedded the current time. --- z02.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'z02.c') diff --git a/z02.c b/z02.c index 6e3cf03..d0b6a12 100644 --- a/z02.c +++ b/z02.c @@ -379,7 +379,7 @@ static void srcnext(void) if( blksize != 0 && chpt < limit ) { debugcond0(DLA, DD, stack_free <= 1, "srcnext: transferring."); col = buf; - while( chtbl[(*--col = *--limit)] != NEWLINE ); + while( col > mem_block && chtbl[(*--col = *--limit)] != NEWLINE ); frst = col + 1; limit++; blksize = 0; } -- cgit