From: Marek Behún <marek.be...@nic.cz>
There is a possible overflow in env_match(): if environment contains
a terminating null-byte before '=' character (i.e. environment is
broken), the env_match() function can access data after the terminating
null-byte from parameter pointer.
Example: if env_get_char() returns characters from string array
"abc\0def\0" and env_match("abc", 0) is called, the function will access
at least one byte after the end of the "abc" literal.
Fix this by checking for terminating null-byte in env_match().
Signed-off-by: Marek Behún <marek.be...@nic.cz>
---
Change since v1:
- check for '\0' only after incrementing i2
---
cmd/nvedit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/nvedit.c b/cmd/nvedit.c
index e2e8a38b5d..a22445132b 100644
--- a/cmd/nvedit.c
+++ b/cmd/nvedit.c
@@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2)
if (s1 == NULL || *s1 == '\0')
return -1;
- while (*s1 == env_get_char(i2++))
+ while (*s1 == env_get_char(i2++) && *s1 != '\0')
if (*s1++ == '=')
return i2;
--
2.32.0
