[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
coreutils-5.0: heap corrupting bug in canonicalize.c (affects df and rea
From: |
Jim Meyering |
Subject: |
coreutils-5.0: heap corrupting bug in canonicalize.c (affects df and readlink on some systems) |
Date: |
Sat, 03 May 2003 21:26:38 +0200 |
This bug affects systems that lack both the canonicalize_file_name
function and the resolvepath function.
So it does *not* affect GNU libc-based systems and it does not
affect Solaris systems.
Systems it appears to affect: FreeBSD, NetBSD, Darwin, HPUX, AIX.
The symptom is that df and `readlink --canonicalize' can segfault etc.
when their heap is corrupted.
Here's the fix:
* canonicalize.c (canonicalize_file_name) [!HAVE_RESOLVEPATH]:
A memory-allocation error could result in heap corruption. Fix it
by also updating `dest' when rpath may be changed by xrealloc.
Index: lib/canonicalize.c
===================================================================
RCS file: /fetish/cu/lib/canonicalize.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -u -r1.8 -r1.9
--- lib/canonicalize.c 11 Apr 2003 12:20:35 -0000 1.8
+++ lib/canonicalize.c 2 May 2003 21:42:51 -0000 1.9
@@ -173,9 +173,11 @@ canonicalize_file_name (const char *name
if (!rpath)
return NULL;
dest = strchr (rpath, '\0');
- if (dest < rpath + PATH_MAX)
+ if (dest - rpath < PATH_MAX)
{
- rpath = xrealloc (rpath, PATH_MAX);
+ char *p = xrealloc (rpath, PATH_MAX);
+ dest = p + (dest - rpath);
+ rpath = p;
rpath_limit = rpath + PATH_MAX;
}
else
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- coreutils-5.0: heap corrupting bug in canonicalize.c (affects df and readlink on some systems),
Jim Meyering <=