From: "Mark E." To: djgpp-workers AT delorie DOT com Date: Tue, 10 Jul 2001 18:00:03 -0400 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: glob buffer overflow fix Message-ID: <3B4B42A3.4259.E8826@localhost> In-reply-to: <2950-Tue10Jul2001220813+0300-eliz@is.elta.co.il> References: <3B4B0C19 DOT 13655 DOT 81973B AT localhost> (snowball3 AT bigfoot DOT com) X-mailer: Pegasus Mail for Win32 (v3.12c) Reply-To: djgpp-workers AT delorie DOT com Errors-To: nobody AT delorie DOT com X-Mailing-List: djgpp-workers AT delorie DOT com X-Unsubscribes-To: listserv AT delorie DOT com Precedence: bulk > I don't know. If you think that test might reject arguments which > otherwise would have passed the other test, then mine was a bad idea. I don't know either. I can't fix what I don't understand, and I haven't studied globbing or how it's supposed to work. I'm sure you know more about the subject than I do. But I do know how to fix a buffer overrun, so that's what my patch does. If you or anyone else can make the code even more reliable, go for it. My second revision: *** /cvs/djgpp/src/libc/posix/glob/glob.c Thu Jun 3 13:27:38 1999 --- glob.c Tue Jul 10 14:06:30 2001 *************** *** 15,20 **** --- 15,22 ---- #include #include + #define PATHBUF_LEN 2000 + typedef struct Save { struct Save *prev; char *entry; *************** static int save_count; *** 25,30 **** --- 27,33 ---- static int flags; static int (*errfunc)(const char *epath, int eerno); static char *pathbuf; + static char *pathbuf_end; static int wildcard_nesting; static char use_lfn; static char preserve_case; *************** glob2(const char *pattern, char *epathbu *** 180,186 **** pp = pattern; bp = epathbuf; pslash = bp-1; ! while (1) { if (*pp == ':' || *pp == '\\' || *pp == '/') { --- 183,189 ---- pp = pattern; bp = epathbuf; pslash = bp-1; ! while (bp < pathbuf_end) { if (*pp == ':' || *pp == '\\' || *pp == '/') { *************** glob2(const char *pattern, char *epathbu *** 228,233 **** --- 231,240 ---- } *bp = 0; + /* A pattern this big won't match any file. */ + if (bp >= pathbuf_end && *pp) + return 0; + if (*pp == 0) /* end of pattern? */ { if (__file_exists(pathbuf)) *************** str_compare(const void *va, const void * *** 348,357 **** int glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, int _eerrno), glob_t *_pglob) { ! char path_buffer[2000]; int l_ofs, l_ptr; pathbuf = path_buffer+1; flags = _flags; errfunc = _errfunc; wildcard_nesting = 0; --- 355,365 ---- int glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, int _eerrno), glob_t *_pglob) { ! char path_buffer[PATHBUF_LEN + 1]; int l_ofs, l_ptr; pathbuf = path_buffer+1; + pathbuf_end = path_buffer + PATHBUF_LEN; flags = _flags; errfunc = _errfunc; wildcard_nesting = 0;