From: "Mark E." <snowball3 AT bigfoot DOT com>
To: djgpp-workers AT delorie DOT com
Date: Tue, 10 Jul 2001 18:00:03 -0400
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: glob buffer overflow fix
Message-ID: <3B4B42A3.4259.E8826@localhost>
In-reply-to: <2950-Tue10Jul2001220813+0300-eliz@is.elta.co.il>
References: <3B4B0C19 DOT 13655 DOT 81973B AT localhost> (snowball3 AT bigfoot DOT com)
X-mailer: Pegasus Mail for Win32 (v3.12c)
Reply-To: djgpp-workers AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: djgpp-workers AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk

> I don't know.  If you think that test might reject arguments which
> otherwise would have passed the other test, then mine was a bad idea.

I don't know either. I can't fix what I don't understand, and I haven't 
studied globbing or how it's supposed to work. I'm sure you know more about 
the subject than I do. But I do know how to fix a buffer overrun, so that's 
what my patch does. If you or anyone else can make the code even more 
reliable, go for it.

My second revision:
*** /cvs/djgpp/src/libc/posix/glob/glob.c	Thu Jun  3 13:27:38 1999
--- glob.c	Tue Jul 10 14:06:30 2001
***************
*** 15,20 ****
--- 15,22 ----
  #include <glob.h>
  #include <crt0.h>
  
+ #define PATHBUF_LEN 2000
+ 
  typedef struct Save {
    struct Save *prev;
    char *entry;
*************** static int save_count;
*** 25,30 ****
--- 27,33 ----
  static int flags;
  static int (*errfunc)(const char *epath, int eerno);
  static char *pathbuf;
+ static char *pathbuf_end;
  static int wildcard_nesting;
  static char use_lfn;
  static char preserve_case;
*************** glob2(const char *pattern, char *epathbu
*** 180,186 ****
    pp = pattern;
    bp = epathbuf;
    pslash = bp-1;
!   while (1)
    {
      if (*pp == ':' || *pp == '\\' || *pp == '/')
      {
--- 183,189 ----
    pp = pattern;
    bp = epathbuf;
    pslash = bp-1;
!   while (bp < pathbuf_end)
    {
      if (*pp == ':' || *pp == '\\' || *pp == '/')
      {
*************** glob2(const char *pattern, char *epathbu
*** 228,233 ****
--- 231,240 ----
    }
    *bp = 0;
  
+   /* A pattern this big won't match any file.  */
+   if (bp >= pathbuf_end && *pp)
+     return 0;
+ 
    if (*pp == 0) /* end of pattern? */
    {
      if (__file_exists(pathbuf))
*************** str_compare(const void *va, const void *
*** 348,357 ****
  int
  glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, 
int _eerrno), glob_t *_pglob)
  {
!   char path_buffer[2000];
    int l_ofs, l_ptr;
  
    pathbuf = path_buffer+1;
    flags = _flags;
    errfunc = _errfunc;
    wildcard_nesting = 0;
--- 355,365 ----
  int
  glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, 
int _eerrno), glob_t *_pglob)
  {
!   char path_buffer[PATHBUF_LEN + 1];
    int l_ofs, l_ptr;
  
    pathbuf = path_buffer+1;
+   pathbuf_end = path_buffer + PATHBUF_LEN;
    flags = _flags;
    errfunc = _errfunc;
    wildcard_nesting = 0;