diff mbox series

[v2,3/4] stdlib: Fix arithmetic overflows in realpath [BZ #26592]

Message ID 20201027143531.2448132-3-adhemerval.zanella@linaro.org
State New
Headers show
Series [v2,1/4] Sync canonicalize with gnulib [BZ #10635] | expand

Commit Message

Adhemerval Zanella Oct. 27, 2020, 2:35 p.m. UTC
The realpath uses an end-of-array pointer 'rpath_limit', and makes
invalid (overflowing) comparisons against it to catch overflow:

  117       /* Find end of path component.  */
  118       if (dest + (end-start) >= rpath_limit)

I could not see a easy way to stress this issue since it rely on how
the input argument is layout in memory along with a large filename
name that trigger the overflow comparison.  However, the fix is
simple enough where it simple reorganize arithmetic in the comparison.

Checked on x86_64-linux-gnu and i686-linux-gnu.
---
 stdlib/canonicalize.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 50244d0f67..9aa69676e4 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -136,7 +136,7 @@  __realpath (const char *name, char *resolved)
           if (dest[-1] != '/')
             *dest++ = '/';
 
-          if (dest + (end - start) >= rpath_limit)
+          if (end - start >= rpath_limit - dest)
             {
               ptrdiff_t dest_offset = dest - rpath;
               char *new_rpath;