circlecloud/tmux
1
0
Fork 0
mirror of https://github.com/tmux/tmux.git synced 2025-11-04 09:26:05 +00:00
Code Issues Projects Releases Wiki Activity

Do not double free argv from MSG_COMMAND if it is too long, reported by

Browse Source 
sai02 at student dot ubc dot ca via deraadt. ok deraadt
This commit is contained in:
nicm
2025-08-22 07:26:25 +00:00
parent 1370791734
commit 12452f4427
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server-client.c
View File

@@ -3446,7 +3446,7 @@ server_client_dispatch_command(struct client *c, struct imsg *imsg)
struct msg_command data; struct msg_command data;
char *buf; char *buf;
size_t len; size_t len;
int argc; int argc = 0;
char **argv, *cause; char **argv, *cause;
struct cmd_parse_result *pr; struct cmd_parse_result *pr;
struct args_value *values; struct args_value *values;
@@ -3465,12 +3465,12 @@ server_client_dispatch_command(struct client *c, struct imsg *imsg)
if (len > 0 && buf[len - 1] != '\0') if (len > 0 && buf[len - 1] != '\0')
fatalx("bad MSG_COMMAND string"); fatalx("bad MSG_COMMAND string");
argc = data.argc; if (cmd_unpack_argv(buf, len, data.argc, &argv) != 0) {
if (cmd_unpack_argv(buf, len, argc, &argv) != 0) {
cause = xstrdup("command too long"); cause = xstrdup("command too long");
goto error; goto error;
} }
argc = data.argc;
if (argc == 0) { if (argc == 0) {
cmdlist = cmd_list_copy(options_get_command(global_options, cmdlist = cmd_list_copy(options_get_command(global_options,
"default-client-command"), 0, NULL); "default-client-command"), 0, NULL);