From 2dcbb773053bd3117476de70b5a9dd09ad4cb213 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <millert@cvs.openbsd.org>
Date: Mon, 11 Jul 2005 14:08:24 +0000
Subject: Fix off-by-one bug in readtty() and don't assume BUFSIZ == 1024.
 Based on a patch from Ulf Harnhammar.

---
 usr.bin/mail/list.c |  7 ++++---
 usr.bin/mail/tty.c  | 13 +++++--------
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/usr.bin/mail/list.c b/usr.bin/mail/list.c
index 4bfaff919b0..3c53d7fcf6d 100644
--- a/usr.bin/mail/list.c
+++ b/usr.bin/mail/list.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: list.c,v 1.15 2004/09/15 22:21:40 deraadt Exp $	*/
+/*	$OpenBSD: list.c,v 1.16 2005/07/11 14:08:23 millert Exp $	*/
 /*	$NetBSD: list.c,v 1.7 1997/07/09 05:23:36 mikel Exp $	*/
 
 /*
@@ -34,7 +34,7 @@
 #if 0
 static const char sccsid[] = "@(#)list.c	8.4 (Berkeley) 5/1/95";
 #else
-static const char rcsid[] = "$OpenBSD: list.c,v 1.15 2004/09/15 22:21:40 deraadt Exp $";
+static const char rcsid[] = "$OpenBSD: list.c,v 1.16 2005/07/11 14:08:23 millert Exp $";
 #endif
 #endif /* not lint */
 
@@ -543,7 +543,8 @@ scan(char **sp)
 		lexnumber = 0;
 		while (isdigit(c)) {
 			lexnumber = lexnumber*10 + c - '0';
-			*cp2++ = c;
+			if (cp2 - lexstring < STRINGLEN - 1)
+				*cp2++ = c;
 			c = *cp++;
 		}
 		*cp2 = '\0';
diff --git a/usr.bin/mail/tty.c b/usr.bin/mail/tty.c
index e647002e5e6..a4eb1c1c9b8 100644
--- a/usr.bin/mail/tty.c
+++ b/usr.bin/mail/tty.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tty.c,v 1.17 2003/06/03 02:56:11 millert Exp $	*/
+/*	$OpenBSD: tty.c,v 1.18 2005/07/11 14:08:23 millert Exp $	*/
 /*	$NetBSD: tty.c,v 1.7 1997/07/09 05:25:46 mikel Exp $	*/
 
 /*
@@ -34,7 +34,7 @@
 #if 0
 static const char sccsid[] = "@(#)tty.c	8.2 (Berkeley) 4/20/95";
 #else
-static const char rcsid[] = "$OpenBSD: tty.c,v 1.17 2003/06/03 02:56:11 millert Exp $";
+static const char rcsid[] = "$OpenBSD: tty.c,v 1.18 2005/07/11 14:08:23 millert Exp $";
 #endif
 #endif /* not lint */
 
@@ -191,7 +191,7 @@ readtty(char *pr, char *src)
 
 	fputs(pr, stdout);
 	fflush(stdout);
-	if (src != NULL && strlen(src) > BUFSIZ - 2) {
+	if (src != NULL && strlen(src) > sizeof(canonb) - 2) {
 		puts("too long to edit");
 		return(src);
 	}
@@ -216,10 +216,6 @@ readtty(char *pr, char *src)
 	cp = canonb;
 	*cp = 0;
 #endif
-	cp2 = cp;
-	while (cp2 < canonb + BUFSIZ)
-		*cp2++ = 0;
-	cp2 = cp;
 	sigemptyset(&act.sa_mask);
 	act.sa_flags = 0;		/* Note: will not restart syscalls */
 	act.sa_handler = ttyint;
@@ -230,7 +226,8 @@ readtty(char *pr, char *src)
 	(void)sigaction(SIGTTIN, &act, NULL);
 	(void)sigprocmask(SIG_UNBLOCK, &intset, &oset);
 	clearerr(stdin);
-	while (cp2 < canonb + BUFSIZ) {
+	memset(cp, 0, canonb + sizeof(canonb) - cp);
+	for (cp2 = cp; cp2 < canonb + sizeof(canonb) - 1; ) {
 		c = getc(stdin);
 		switch (ttysignal) {
 			case SIGINT:
-- 
cgit v1.2.3