Avoid overwriting buffers with long pathnames

Reported, with initial patch, by Gisle Vanem <gvanem@online.no>

* src/main.c (find_and_set_default_shell) [W32]: Pass search_token
directly to w32ify: no need to make a copy first.  When we need to
construct a path, use snprintf() to be sure we don't overwrite
the locally-allocated buffer.
* src/w32/pathstuff.c (w32ify) [W32]: Use the malloc version of
_fullpath(), followed by strncpy(), to avoid overwriting buffers.
This commit is contained in:
Paul Smith 2022-06-17 19:55:11 -04:00
parent 59abb46bc9
commit 97e51c0285
2 changed files with 15 additions and 11 deletions

View file

@ -941,7 +941,6 @@ find_and_set_default_shell (const char *token)
char *atoken = 0;
const char *search_token;
const char *tokend;
PATH_VAR(sh_path);
extern const char *default_shell;
if (!token)
@ -965,8 +964,7 @@ find_and_set_default_shell (const char *token)
{
batch_mode_shell = 1;
unixy_shell = 0;
sprintf (sh_path, "%s", search_token);
default_shell = xstrdup (w32ify (sh_path, 0));
default_shell = xstrdup (w32ify (search_token, 0));
DB (DB_VERBOSE, (_("find_and_set_shell() setting default_shell = %s\n"),
default_shell));
sh_found = 1;
@ -980,8 +978,7 @@ find_and_set_default_shell (const char *token)
else if (_access (search_token, 0) == 0)
{
/* search token path was found */
sprintf (sh_path, "%s", search_token);
default_shell = xstrdup (w32ify (sh_path, 0));
default_shell = xstrdup (w32ify (search_token, 0));
DB (DB_VERBOSE, (_("find_and_set_shell() setting default_shell = %s\n"),
default_shell));
sh_found = 1;
@ -1001,9 +998,11 @@ find_and_set_default_shell (const char *token)
while (ep && *ep)
{
PATH_VAR (sh_path);
*ep = '\0';
sprintf (sh_path, "%s/%s", p, search_token);
snprintf (sh_path, GET_PATH_MAX, "%s/%s", p, search_token);
if (_access (sh_path, 0) == 0)
{
default_shell = xstrdup (w32ify (sh_path, 0));
@ -1025,7 +1024,8 @@ find_and_set_default_shell (const char *token)
/* be sure to check last element of Path */
if (p && *p)
{
sprintf (sh_path, "%s/%s", p, search_token);
PATH_VAR (sh_path);
snprintf (sh_path, GET_PATH_MAX, "%s/%s", p, search_token);
if (_access (sh_path, 0) == 0)
{
default_shell = xstrdup (w32ify (sh_path, 0));

View file

@ -100,13 +100,17 @@ w32ify(const char *filename, int resolve)
char *p;
if (resolve)
_fullpath(w32_path, filename, sizeof (w32_path));
{
char *fp = _fullpath (NULL, filename, sizeof (w32_path));
strncpy (w32_path, fp, sizeof (w32_path));
free (fp);
}
else
strncpy(w32_path, filename, sizeof (w32_path));
strncpy(w32_path, filename, sizeof (w32_path));
for (p = w32_path; p && *p; p++)
if (*p == '\\')
*p = '/';
if (*p == '\\')
*p = '/';
return w32_path;
}