From: Thomas Habets <thomas@habets.se>
Subject: find: fix single null byte overflow
To: tech@openbsd.org
Date: Mon, 18 May 2026 07:48:12 -0500

Problem:

  Terminating null written unconditionally one past end of buffer if
  subst value is exactly a resize size.

Triggering it:

```
find . -name find.c -exec echo $(printf '%128s' '' \
    | sed 's/./{}/g'; echo -n 'x') \; > /dev/null
```

  This looks like it triggers it, from my printf-instrumented version
  printing pointer values.

Severity:

  I'm not aware of any way to overwrite anything useful, including
  crashing anything. But I'm also not an expert in that.

Patch

Index: usr.bin/find/misc.c
===================================================================
RCS file: /cvs/src/usr.bin/find/misc.c,v
diff -u -p -u -p -r1.18 misc.c
--- usr.bin/find/misc.c 8 Mar 2023 04:43:11 -0000       1.18
+++ usr.bin/find/misc.c 18 May 2026 12:29:47 -0000
@@ -60,7 +60,7 @@ brace_subst(char *orig, char **store, ch
        plen = strlen(path);
        for (p = *store; (ch = *orig); ++orig)
                if (ch == '{' && orig[1] == '}') {
-                       while ((p - *store) + plen > len) {
+                       while ((p - *store) + plen >= len) {
                                ptrdiff_t p_off;
                                char *newstore;

Found with GPT 5.5, confirmed (incl example trigger) and fixed
manually.

--
typedef struct me_s {
  char name[]      = { "Thomas Habets" };
  char email[]     = { "thomas@habets.se" };
  char kernel[]    = { "Linux" };
  char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
  char pgp[] = { "9907 8698 8A24 F52F 1C2E  87F6 39A4 9EEA 460A 0169" };
  char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;