mirror of
git://git.code.sf.net/p/zsh/code
synced 2025-10-28 05:00:59 +01:00
40181: Fix buffer overrun in xsymlinks.
There was no check for copying to the internal xbuf2 for a preliminary test.
This commit is contained in:
Peter Stephenson
parent
263a0c2476
commit
c7a9cf465d
3 changed files with 22 additions and 3 deletions
14
Src/utils.c
14
Src/utils.c
|
|
@ -886,7 +886,7 @@ xsymlinks(char *s, int full)
|
|||
char **pp, **opp;
|
||||
char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1];
|
||||
int t0, ret = 0;
|
||||
zulong xbuflen = strlen(xbuf);
|
||||
zulong xbuflen = strlen(xbuf), pplen;
|
||||
|
||||
opp = pp = slashsplit(s);
|
||||
for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {
|
||||
|
|
@ -907,10 +907,18 @@ xsymlinks(char *s, int full)
|
|||
xbuflen--;
|
||||
continue;
|
||||
}
|
||||
sprintf(xbuf2, "%s/%s", xbuf, *pp);
|
||||
/* Includes null byte. */
|
||||
pplen = strlen(*pp) + 1;
|
||||
if (xbuflen + pplen + 1 > sizeof(xbuf2)) {
|
||||
*xbuf = 0;
|
||||
ret = -1;
|
||||
break;
|
||||
}
|
||||
memcpy(xbuf2, xbuf, xbuflen);
|
||||
xbuf2[xbuflen] = '/';
|
||||
memcpy(xbuf2 + xbuflen + 1, *pp, pplen);
|
||||
t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
|
||||
if (t0 == -1) {
|
||||
zulong pplen = strlen(*pp) + 1;
|
||||
if ((xbuflen += pplen) < sizeof(xbuf)) {
|
||||
strcat(xbuf, "/");
|
||||
strcat(xbuf, *pp);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue