diff options
author | Ulrich Drepper <drepper@redhat.com> | 2003-02-05 17:47:50 +0000 |
---|---|---|
committer | Ulrich Drepper <drepper@redhat.com> | 2003-02-05 17:47:50 +0000 |
commit | 5049f1971ec7c2893e0e5b8a7f1eb7d2909f8bd3 (patch) | |
tree | fccf263aa6d0a0cba3ac7ad5c10ffe9885304d87 | |
parent | a88c9263686012ca2a336379b7d66e59dea2b43b (diff) | |
download | glibc-5049f1971ec7c2893e0e5b8a7f1eb7d2909f8bd3.tar.gz glibc-5049f1971ec7c2893e0e5b8a7f1eb7d2909f8bd3.tar.xz glibc-5049f1971ec7c2893e0e5b8a7f1eb7d2909f8bd3.zip |
Update.
2003-02-05 Jim Meyering <jim@meyering.net> Fix a heap-corrupting bug. * io/ftw.c: Include <limits.h>. (PATH_MAX) [!defined PATH_MAX]: Define to 1024. (process_entry): Allocate enough space to hold the resulting file name. Don't presume that 2*dirbufsize is enough. (ftw_startup): Always use PATH_MAX to compute buffer size, now that it is guaranteed to be defined.
-rw-r--r-- | ChangeLog | 10 | ||||
-rw-r--r-- | io/ftw.c | 20 |
2 files changed, 24 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog index 9c0662b1bd..ed332363e2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2003-02-05 Jim Meyering <jim@meyering.net> + + Fix a heap-corrupting bug. + * io/ftw.c: Include <limits.h>. + (PATH_MAX) [!defined PATH_MAX]: Define to 1024. + (process_entry): Allocate enough space to hold the resulting + file name. Don't presume that 2*dirbufsize is enough. + (ftw_startup): Always use PATH_MAX to compute buffer size, now that + it is guaranteed to be defined. + 2003-02-04 Ulrich Drepper <drepper@redhat.com> * iconvdata/Makefile: Add rules to build and run bug-iconv3. diff --git a/io/ftw.c b/io/ftw.c index 6b117765cb..45001d5b54 100644 --- a/io/ftw.c +++ b/io/ftw.c @@ -25,6 +25,7 @@ #include <dirent.h> #include <errno.h> #include <ftw.h> +#include <limits.h> #include <search.h> #include <stdlib.h> #include <string.h> @@ -84,6 +85,14 @@ # define NFTW_FUNC_T __nftw_func_t #endif +/* We define PATH_MAX if the system does not provide a definition. + This does not artificially limit any operation. PATH_MAX is simply + used as a guesstimate for the expected maximal path length. + Buffers will be enlarged if necessary. */ +#ifndef PATH_MAX +# define PATH_MAX 1024 +#endif + struct dir_data { DIR *stream; @@ -282,18 +291,20 @@ process_entry (struct ftw_data *data, struct dir_data *dir, const char *name, struct STAT st; int result = 0; int flag = 0; + size_t new_buflen; if (name[0] == '.' && (name[1] == '\0' || (name[1] == '.' && name[2] == '\0'))) /* Don't process the "." and ".." entries. */ return 0; - if (data->dirbufsize < data->ftw.base + namlen + 2) + new_buflen = data->ftw.base + namlen + 2; + if (data->dirbufsize < new_buflen) { /* Enlarge the buffer. */ char *newp; - data->dirbufsize *= 2; + data->dirbufsize = 2 * new_buflen; newp = (char *) realloc (data->dirbuf, data->dirbufsize); if (newp == NULL) return -1; @@ -518,11 +529,8 @@ ftw_startup (const char *dir, int is_nftw, void *func, int descriptors, * sizeof (struct dir_data *)); memset (data.dirstreams, '\0', data.maxdir * sizeof (struct dir_data *)); -#ifdef PATH_MAX + /* PATH_MAX is always defined when we get here. */ data.dirbufsize = MAX (2 * strlen (dir), PATH_MAX); -#else - data.dirbufsize = 2 * strlen (dir); -#endif data.dirbuf = (char *) malloc (data.dirbufsize); if (data.dirbuf == NULL) return -1; |