From: Karel Zak <kzak@redhat.com>
Date: Wed, 23 Jun 2021 09:37:31 +0000 (+0200)
Subject: more: fix null-pointer dereference
X-Git-Tag: v2.38-rc1~392
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=86f05d3946193c447bc8f9120d7046f92da54209;p=thirdparty%2Futil-linux.git

more: fix null-pointer dereference

The command allows executing arbitrary shell commands while viewing a file by
entering '!' followed by the command. Entering a command that contains a '%',
'!', or '\' causes a segmentation violation.

The same more(1) function has a problem when not file is specified (cat
/etc/passwd | more) on command line.

Addresses: https://bugzilla.redhat.com/show_bug.cgi?id=1975153
Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/text-utils/more.c b/text-utils/more.c
index a57159132b..6299e8d828 100644
--- a/text-utils/more.c
+++ b/text-utils/more.c
@@ -1113,13 +1113,18 @@ static void expand(struct more_control *ctl, char *inbuf)
 	char *outstr;
 	char c;
 	char *temp;
-	int tempsz, xtra, offset;
+	int tempsz, xtra = 0, offset;
+
+	if (!ctl->no_tty_in)
+		xtra += strlen(ctl->file_names[ctl->argv_position]) + 1;
+	if (ctl->shell_line)
+		xtra += strlen(ctl->shell_line) + 1;
 
-	xtra = strlen(ctl->file_names[ctl->argv_position]) + strlen(ctl->shell_line) + 1;
 	tempsz = COMMAND_BUF + xtra;
 	temp = xmalloc(tempsz);
 	inpstr = inbuf;
 	outstr = temp;
+
 	while ((c = *inpstr++) != '\0') {
 		offset = outstr - temp;
 		if (tempsz - offset - 1 < xtra) {