Mail Archives: djgpp-workers/2001/07/09/23:42:37

delorie.com/archives/browse.cgi

search

Mail Archives: djgpp-workers/2001/07/09/23:42:37

From: "Mark E." <snowball3 AT bigfoot DOT com>

To: djgpp-workers AT delorie DOT com

Date: Mon, 9 Jul 2001 23:42:35 -0400

MIME-Version: 1.0

Subject: glob buffer overflow fix

Message-ID: <3B4A416B.14717.344112@localhost>

X-mailer: Pegasus Mail for Win32 (v3.12c)

Reply-To: djgpp-workers AT delorie DOT com

This patch adds buffer overflow checks to the output buffer. The idea is that 
a filename in the output buffer can't be valid and won't match if its size is 
greater or equal to 2000 bytes (or whatever impossible length).

*** /cvs/djgpp/src/libc/posix/glob/glob.c	Thu Jun  3 13:27:38 1999
--- glob.c	Mon Jul  9 23:37:44 2001
***************
*** 15,20 ****
--- 15,22 ----
  #include <glob.h>
  #include <crt0.h>
  
+ #define PATHBUF_LEN 2000
+ 
  typedef struct Save {
    struct Save *prev;
    char *entry;
*************** static int save_count;
*** 25,30 ****
--- 27,33 ----
  static int flags;
  static int (*errfunc)(const char *epath, int eerno);
  static char *pathbuf;
+ static char *pathbuf_end;
  static int wildcard_nesting;
  static char use_lfn;
  static char preserve_case;
*************** glob2(const char *pattern, char *epathbu
*** 180,186 ****
    pp = pattern;
    bp = epathbuf;
    pslash = bp-1;
!   while (1)
    {
      if (*pp == ':' || *pp == '\\' || *pp == '/')
      {
--- 183,189 ----
    pp = pattern;
    bp = epathbuf;
    pslash = bp-1;
!   while (bp < pathbuf_end)
    {
      if (*pp == ':' || *pp == '\\' || *pp == '/')
      {
*************** glob2(const char *pattern, char *epathbu
*** 228,233 ****
--- 231,240 ----
    }
    *bp = 0;
  
+   /* A pattern this big won't match any file.  */
+   if (bp == pathbuf_end && *pp)
+     return 0;
+ 
    if (*pp == 0) /* end of pattern? */
    {
      if (__file_exists(pathbuf))
*************** str_compare(const void *va, const void *
*** 348,357 ****
  int
  glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, 
int _eerrno), glob_t *_pglob)
  {
!   char path_buffer[2000];
    int l_ofs, l_ptr;
  
    pathbuf = path_buffer+1;
    flags = _flags;
    errfunc = _errfunc;
    wildcard_nesting = 0;
--- 355,365 ----
  int
  glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, 
int _eerrno), glob_t *_pglob)
  {
!   char path_buffer[PATHBUF_LEN + 1];
    int l_ofs, l_ptr;
  
    pathbuf = path_buffer+1;
+   pathbuf_end = path_buffer + PATHBUF_LEN;
    flags = _flags;
    errfunc = _errfunc;
    wildcard_nesting = 0;

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

From:	"Mark E." <snowball3 AT bigfoot DOT com>
To:	djgpp-workers AT delorie DOT com
Date:	Mon, 9 Jul 2001 23:42:35 -0400
MIME-Version:	1.0
Subject:	glob buffer overflow fix
Message-ID:	<3B4A416B.14717.344112@localhost>
X-mailer:	Pegasus Mail for Win32 (v3.12c)
Reply-To:	djgpp-workers AT delorie DOT com