From 30f5d0522a753d683bf5a216754ce4c499c98b4e Mon Sep 17 00:00:00 2001 From: Peter Stephenson Date: Tue, 9 May 2017 17:49:18 +0100 Subject: [PATCH 2/2] 40181: Fix buffer overrun in xsymlinks. There was no check for copying to the internal xbuf2 for a preliminary test. Upstream-commit: c7a9cf465dd620ef48d586026944d9bd7a0d5d6d Signed-off-by: Kamil Dudka --- Src/utils.c | 14 +++++++++++--- Test/D02glob.ztst | 8 ++++++++ 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/Src/utils.c b/Src/utils.c index 7f3ddad..a54e310 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -886,7 +886,7 @@ xsymlinks(char *s, int full) char **pp, **opp; char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1]; int t0, ret = 0; - zulong xbuflen = strlen(xbuf); + zulong xbuflen = strlen(xbuf), pplen; opp = pp = slashsplit(s); for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) { @@ -907,10 +907,18 @@ xsymlinks(char *s, int full) xbuflen--; continue; } - sprintf(xbuf2, "%s/%s", xbuf, *pp); + /* Includes null byte. */ + pplen = strlen(*pp) + 1; + if (xbuflen + pplen + 1 > sizeof(xbuf2)) { + *xbuf = 0; + ret = -1; + break; + } + memcpy(xbuf2, xbuf, xbuflen); + xbuf2[xbuflen] = '/'; + memcpy(xbuf2 + xbuflen + 1, *pp, pplen); t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX); if (t0 == -1) { - zulong pplen = strlen(*pp) + 1; if ((xbuflen += pplen) < sizeof(xbuf)) { strcat(xbuf, "/"); strcat(xbuf, *pp); diff --git a/Test/D02glob.ztst b/Test/D02glob.ztst index 1385d57..b958970 100644 --- a/Test/D02glob.ztst +++ b/Test/D02glob.ztst @@ -686,3 +686,11 @@ rm glob.tmp/link 0:modifier ':P' resolves symlinks before '..' components *>*glob.tmp/hello/world + + # This is a bit brittle as it depends on PATH_MAX. + # We could use sysconf.. + bad_pwd="/${(l:16000:: :):-}" + print ${bad_pwd:P} +0:modifier ':P' with path too long +?(eval):4: path expansion failed, using root directory +>/ -- 2.14.3