diff options
author | Paul Pluzhnikov <ppluzhnikov@google.com> | 2018-05-08 18:12:41 -0700 |
---|---|---|
committer | Paul Pluzhnikov <ppluzhnikov@google.com> | 2018-05-08 18:12:41 -0700 |
commit | 5460617d1567657621107d895ee2dd83bc1f88f2 (patch) | |
tree | 478c1a918b575f667e34721dd6b1232b59b52554 /stdlib/canonicalize.c | |
parent | aaee3cd88ed58f332f261021d78d071db6265e85 (diff) | |
download | glibc-5460617d1567657621107d895ee2dd83bc1f88f2.tar.gz glibc-5460617d1567657621107d895ee2dd83bc1f88f2.tar.xz glibc-5460617d1567657621107d895ee2dd83bc1f88f2.zip |
Fix BZ 22786: integer addition overflow may cause stack buffer overflow
when realpath() input length is close to SSIZE_MAX. 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> [BZ #22786] * stdlib/canonicalize.c (__realpath): Fix overflow in path length computation. * stdlib/Makefile (test-bz22786): New test. * stdlib/test-bz22786.c: New test.
Diffstat (limited to 'stdlib/canonicalize.c')
-rw-r--r-- | stdlib/canonicalize.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c index 4135f3f33c..390fb437a8 100644 --- a/stdlib/canonicalize.c +++ b/stdlib/canonicalize.c @@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved) extra_buf = __alloca (path_max); len = strlen (end); - if ((long int) (n + len) >= path_max) + if (path_max - n <= len) { __set_errno (ENAMETOOLONG); goto error; |