Reallocate the buffer correctly when appending a newline.

Fixes a potential buffer overflow introduced in the last commit.
2021-02-03 15:13:03 -07:00
parent b4cabdb394
commit 10e37223b5
2 changed files with 6 additions and 6 deletions
--- a/plugins/sudoers/toke.c
+++ b/plugins/sudoers/toke.c
@@ -5472,14 +5472,14 @@ sudoers_input(char *buf, yy_size_t max_size)
 	/* Add trailing newline if it is missing. */
 	if (sudolinebuf.buf[avail - 1] != '\n') {
-	    if (avail == sudolinebuf.size) {
+	    if (avail + 2 >= sudolinebuf.size) {
-		char *cp = realloc(sudolinebuf.buf, avail + 1);
+		char *cp = realloc(sudolinebuf.buf, avail + 2);
 		if (cp == NULL) {
 		    YY_FATAL_ERROR("unable to allocate memory");
 		    return 0;
 		}
 		sudolinebuf.buf = cp;
-		sudolinebuf.size++;
+		sudolinebuf.size = avail + 2;
 	    }
 	    sudolinebuf.buf[avail++] = '\n';
 	    sudolinebuf.buf[avail] = '\0';
--- a/plugins/sudoers/toke.l
+++ b/plugins/sudoers/toke.l
@@ -1277,14 +1277,14 @@ sudoers_input(char *buf, yy_size_t max_size)
 	/* Add trailing newline if it is missing. */
 	if (sudolinebuf.buf[avail - 1] != '\n') {
-	    if (avail == sudolinebuf.size) {
+	    if (avail + 2 >= sudolinebuf.size) {
-		char *cp = realloc(sudolinebuf.buf, avail + 1);
+		char *cp = realloc(sudolinebuf.buf, avail + 2);
 		if (cp == NULL) {
 		    YY_FATAL_ERROR("unable to allocate memory");
 		    return 0;
 		}
 		sudolinebuf.buf = cp;
-		sudolinebuf.size++;
+		sudolinebuf.size = avail + 2;
 	    }
 	    sudolinebuf.buf[avail++] = '\n';
 	    sudolinebuf.buf[avail] = '\0';