about summary refs log tree commit diff
path: root/stdlib/canonicalize.c
diff options
context:
space:
mode:
authorPaul Pluzhnikov <ppluzhnikov@google.com>2018-05-08 18:12:41 -0700
committerPaul Pluzhnikov <ppluzhnikov@google.com>2018-05-08 18:12:41 -0700
commit5460617d1567657621107d895ee2dd83bc1f88f2 (patch)
tree478c1a918b575f667e34721dd6b1232b59b52554 /stdlib/canonicalize.c
parentaaee3cd88ed58f332f261021d78d071db6265e85 (diff)
downloadglibc-5460617d1567657621107d895ee2dd83bc1f88f2.tar.gz
glibc-5460617d1567657621107d895ee2dd83bc1f88f2.tar.xz
glibc-5460617d1567657621107d895ee2dd83bc1f88f2.zip
Fix BZ 22786: integer addition overflow may cause stack buffer overflow
when realpath() input length is close to SSIZE_MAX.

2018-05-09  Paul Pluzhnikov  <ppluzhnikov@google.com>

	[BZ #22786]
	* stdlib/canonicalize.c (__realpath): Fix overflow in path length
	computation.
	* stdlib/Makefile (test-bz22786): New test.
	* stdlib/test-bz22786.c: New test.
Diffstat (limited to 'stdlib/canonicalize.c')
-rw-r--r--stdlib/canonicalize.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 4135f3f33c..390fb437a8 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
 		extra_buf = __alloca (path_max);
 
 	      len = strlen (end);
-	      if ((long int) (n + len) >= path_max)
+	      if (path_max - n <= len)
 		{
 		  __set_errno (ENAMETOOLONG);
 		  goto error;