From 30f5d0522a753d683bf5a216754ce4c499c98b4e Mon Sep 17 00:00:00 2001
From: Peter Stephenson <pws@zsh.org>
Date: Tue, 9 May 2017 17:49:18 +0100
Subject: [PATCH 2/2] 40181: Fix buffer overrun in xsymlinks.
There was no check for copying to the internal xbuf2 for a
preliminary test.
Upstream-commit: c7a9cf465dd620ef48d586026944d9bd7a0d5d6d
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
Src/utils.c | 14 +++++++++++---
Test/D02glob.ztst | 8 ++++++++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/Src/utils.c b/Src/utils.c
index 7f3ddad..a54e310 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -886,7 +886,7 @@ xsymlinks(char *s, int full)
char **pp, **opp;
char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1];
int t0, ret = 0;
- zulong xbuflen = strlen(xbuf);
+ zulong xbuflen = strlen(xbuf), pplen;
opp = pp = slashsplit(s);
for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {
@@ -907,10 +907,18 @@ xsymlinks(char *s, int full)
xbuflen--;
continue;
}
- sprintf(xbuf2, "%s/%s", xbuf, *pp);
+ /* Includes null byte. */
+ pplen = strlen(*pp) + 1;
+ if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
+ *xbuf = 0;
+ ret = -1;
+ break;
+ }
+ memcpy(xbuf2, xbuf, xbuflen);
+ xbuf2[xbuflen] = '/';
+ memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
if (t0 == -1) {
- zulong pplen = strlen(*pp) + 1;
if ((xbuflen += pplen) < sizeof(xbuf)) {
strcat(xbuf, "/");
strcat(xbuf, *pp);
diff --git a/Test/D02glob.ztst b/Test/D02glob.ztst
index 1385d57..b958970 100644
--- a/Test/D02glob.ztst
+++ b/Test/D02glob.ztst
@@ -686,3 +686,11 @@
rm glob.tmp/link
0:modifier ':P' resolves symlinks before '..' components
*>*glob.tmp/hello/world
+
+ # This is a bit brittle as it depends on PATH_MAX.
+ # We could use sysconf..
+ bad_pwd="/${(l:16000:: :):-}"
+ print ${bad_pwd:P}
+0:modifier ':P' with path too long
+?(eval):4: path expansion failed, using root directory
+>/
--
2.14.3