more: fix null-pointer dereference

The command allows executing arbitrary shell commands while viewing a file by
entering '!' followed by the command. Entering a command that contains a '%',
'!', or '\' causes a segmentation violation.

The same more(1) function has a problem when not file is specified (cat
/etc/passwd | more) on command line.

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1975153
Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/text-utils/more.c b/text-utils/more.c
index a57159132b0ab2295cfbc8ca52bbcb7c0f93c001..6299e8d828f007293da295d782ae2d2c1533ed60 100644 (file)
--- a/text-utils/more.c
+++ b/text-utils/more.c
@@ -1113,13 +1113,18 @@ static void expand(struct more_control *ctl, char *inbuf)
        char *outstr;
        char c;
        char *temp;
-       int tempsz, xtra, offset;
+       int tempsz, xtra = 0, offset;
+
+       if (!ctl->no_tty_in)
+               xtra += strlen(ctl->file_names[ctl->argv_position]) + 1;
+       if (ctl->shell_line)
+               xtra += strlen(ctl->shell_line) + 1;
 
-       xtra = strlen(ctl->file_names[ctl->argv_position]) + strlen(ctl->shell_line) + 1;
        tempsz = COMMAND_BUF + xtra;
        temp = xmalloc(tempsz);
        inpstr = inbuf;
        outstr = temp;
+
        while ((c = *inpstr++) != '\0') {
                offset = outstr - temp;
                if (tempsz - offset - 1 < xtra) {