Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

PATCH: Coverity CID 1372427 buffer overrun in zexecve()

X-seq: zsh-workers 54537
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: PATCH: Coverity CID 1372427 buffer overrun in zexecve()
Date: Thu, 14 May 2026 17:19:54 +0200
Archived-at: <https://zsh.org/workers/54537>
In-reply-to: <20260514152003.27178-1-mikachu@gmail.com>
List-id: <zsh-workers.zsh.org>
References: <20260514152003.27178-1-mikachu@gmail.com>

This one is probably harmless, it's in BSS and we're about to throw away
our entire address space. Ironically I think this change doesn't
actually fix the CID because it's complaining about the strcpy, but pth
will always fit in buf, the problem is pwd.
---
 Src/exec.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Src/exec.c b/Src/exec.c
index 675245cae6..7ea669f35b 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -504,7 +504,7 @@ static int
 zexecve(char *pth, char **argv, char **newenvp)
 {
     int eno;
-    static char buf[PATH_MAX * 2+1];
+    static char buf[PATH_MAX * 2+2+1+1]; /* enough room if pwd fits in PATH_MAX */
     char **eep;
 
     unmetafy(pth, NULL);
@@ -516,7 +516,8 @@ zexecve(char *pth, char **argv, char **newenvp)
     if (*pth == '/')
 	strcpy(buf + 2, pth);
     else
-	sprintf(buf + 2, "%s/%s", unmeta(pwd), pth);
+	/* not checking for truncation because what would we do? */
+	snprintf(buf + 2, sizeof(buf) - 2, "%s/%s", unmeta(pwd), pth);
     zputenv(buf);
 #ifndef FD_CLOEXEC
     closedumps();
-- 
2.38.1

References:
- Coverity patches
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author