Fix BZ 22786: integer addition overflow may cause stack buffer overflow

when realpath() input length is close to SSIZE_MAX. 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> [BZ #22786] * stdlib/canonicalize.c (__realpath): Fix overflow in path length computation. * stdlib/Makefile (test-bz22786): New test. * stdlib/test-bz22786.c: New test.
author: Paul Pluzhnikov <ppluzhnikov@google.com> 2018-05-08 18:12:41 -0700
committer: Paul Pluzhnikov <ppluzhnikov@google.com> 2018-05-08 18:12:41 -0700
commit: 5460617d1567657621107d895ee2dd83bc1f88f2 (patch)
tree: 478c1a918b575f667e34721dd6b1232b59b52554 /stdlib/canonicalize.c
parent: aaee3cd88ed58f332f261021d78d071db6265e85 (diff)
download: glibc-5460617d1567657621107d895ee2dd83bc1f88f2.tar.gz
glibc-5460617d1567657621107d895ee2dd83bc1f88f2.tar.xz
glibc-5460617d1567657621107d895ee2dd83bc1f88f2.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 4135f3f33c..390fb437a8 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
 		extra_buf = __alloca (path_max);
 
 	      len = strlen (end);
-	      if ((long int) (n + len) >= path_max)
+	      if (path_max - n <= len)
 		{
 		  __set_errno (ENAMETOOLONG);
 		  goto error;
author	Paul Pluzhnikov <ppluzhnikov@google.com>	2018-05-08 18:12:41 -0700
committer	Paul Pluzhnikov <ppluzhnikov@google.com>	2018-05-08 18:12:41 -0700
commit	5460617d1567657621107d895ee2dd83bc1f88f2 (patch)
tree	478c1a918b575f667e34721dd6b1232b59b52554 /stdlib/canonicalize.c
parent	aaee3cd88ed58f332f261021d78d071db6265e85 (diff)
download	glibc-5460617d1567657621107d895ee2dd83bc1f88f2.tar.gz glibc-5460617d1567657621107d895ee2dd83bc1f88f2.tar.xz glibc-5460617d1567657621107d895ee2dd83bc1f88f2.zip