28568: buffer overflow examining paths

author: Peter Stephenson <pws@users.sourceforge.net> 2011-01-05 18:22:08 +0000
committer: Peter Stephenson <pws@users.sourceforge.net> 2011-01-05 18:22:08 +0000
commit: dd0ad1ac2310853e3d4963c5715de6a9c058479f (patch)
tree: 5dbacc145309379af9fc3f41d1b206ff6c1bb746 /Src/utils.c
parent: 564fd4e8db65f4da6a80c93a492b46ff748d1f28 (diff)
download: zsh-dd0ad1ac2310853e3d4963c5715de6a9c058479f.tar.gz
zsh-dd0ad1ac2310853e3d4963c5715de6a9c058479f.tar.xz
zsh-dd0ad1ac2310853e3d4963c5715de6a9c058479f.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/Src/utils.c b/Src/utils.c
index b64530bcc..a1cac2537 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -3667,16 +3667,22 @@ mindist(char *dir, char *mindistguess, char *mindistbest)
     int mindistd, nd;
     DIR *dd;
     char *fn;
-    char buf[PATH_MAX];
+    char *buf;
 
     if (dir[0] == '\0')
 	dir = ".";
     mindistd = 100;
+
+    buf = zalloc(strlen(dir) + strlen(mindistguess) + 2);
     sprintf(buf, "%s/%s", dir, mindistguess);
+
     if (access(unmeta(buf), F_OK) == 0) {
 	strcpy(mindistbest, mindistguess);
+	free(buf);
 	return 0;
     }
+    free(buf);
+
     if (!(dd = opendir(unmeta(dir))))
 	return mindistd;
     while ((fn = zreaddir(dd, 0))) {
author	Peter Stephenson <pws@users.sourceforge.net>	2011-01-05 18:22:08 +0000
committer	Peter Stephenson <pws@users.sourceforge.net>	2011-01-05 18:22:08 +0000
commit	dd0ad1ac2310853e3d4963c5715de6a9c058479f (patch)
tree	5dbacc145309379af9fc3f41d1b206ff6c1bb746 /Src/utils.c
parent	564fd4e8db65f4da6a80c93a492b46ff748d1f28 (diff)
download	zsh-dd0ad1ac2310853e3d4963c5715de6a9c058479f.tar.gz zsh-dd0ad1ac2310853e3d4963c5715de6a9c058479f.tar.xz zsh-dd0ad1ac2310853e3d4963c5715de6a9c058479f.zip