mirror of
https://abf.rosa.ru/djam/glibc.git
synced 2025-02-23 15:02:47 +00:00
37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From 5460617d1567657621107d895ee2dd83bc1f88f2 Mon Sep 17 00:00:00 2001
|
|
From: Paul Pluzhnikov <ppluzhnikov@google.com>
|
|
Date: Tue, 8 May 2018 18:12:41 -0700
|
|
Subject: [PATCH] Fix BZ 22786: integer addition overflow may cause stack
|
|
buffer overflow when realpath() input length is close to SSIZE_MAX.
|
|
|
|
2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com>
|
|
|
|
[BZ #22786]
|
|
* stdlib/canonicalize.c (__realpath): Fix overflow in path length
|
|
computation.
|
|
* stdlib/Makefile (test-bz22786): New test.
|
|
* stdlib/test-bz22786.c: New test.
|
|
---
|
|
ChangeLog | 8 +++++
|
|
stdlib/Makefile | 2 +-
|
|
stdlib/canonicalize.c | 2 +-
|
|
stdlib/test-bz22786.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
4 files changed, 100 insertions(+), 2 deletions(-)
|
|
create mode 100644 stdlib/test-bz22786.c
|
|
|
|
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
|
|
index 4135f3f..390fb43 100644
|
|
--- a/stdlib/canonicalize.c
|
|
+++ b/stdlib/canonicalize.c
|
|
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
|
|
extra_buf = __alloca (path_max);
|
|
|
|
len = strlen (end);
|
|
- if ((long int) (n + len) >= path_max)
|
|
+ if (path_max - n <= len)
|
|
{
|
|
__set_errno (ENAMETOOLONG);
|
|
goto error;
|
|
--
|
|
2.9.3
|
|
|