[PATCH] find: fix potential buffer overflow in -execdir and -okdir

[Dmitry V. Levin]

* lib/buildcmd.c (bc_push_arg): Take prefix length into account
to avoid state->argbuf overflow.
* NEWS: Mention this fix.
---

It would be a security issue if one could control factors triggering this
bug, which include a directory with thousands of files.

 ChangeLog      | 7 +++++++
 NEWS           | 2 ++
 lib/buildcmd.c | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index e6914ff..7b4f3e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-05-15  Dmitry V. Levin  <address@hidden>
+
+       find: fix potential buffer overflow in -execdir and -okdir.
+       * lib/buildcmd.c (bc_push_arg): Take prefix length into account
+       to avoid state->argbuf overflow.
+       * NEWS: Mention this fix.
+
 2013-04-22  Paul Eggert  <address@hidden>
 
        More removal of support for -perm +MODE.
diff --git a/NEWS b/NEWS
index 4349a21..010ba6e 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,8 @@ The documentation for xargs now warns about parallel 
processes (xargs
 Some bugs in 4.5.11 were fixed without adding them to the bug
 database, though they are in the ChangeLog:
 
+*** find -execdir/-okdir potential buffer overflow.
+
 *** Use of [[ ... ]] in find/testsuite/sv-bug-32043.sh
 
 *** Don't delete header files in "lib/" for "make clean".
diff --git a/lib/buildcmd.c b/lib/buildcmd.c
index d135692..2616ed6 100644
--- a/lib/buildcmd.c
+++ b/lib/buildcmd.c
@@ -364,7 +364,7 @@ bc_push_arg (struct buildcmd_control *ctl,
 
   if (!terminate)
     {
-      if (state->cmd_argv_chars + len > ctl->arg_max)
+      if (state->cmd_argv_chars + len + pfxlen > ctl->arg_max)
         {
           if (initial_args || state->cmd_argc == ctl->initial_argc)
             error (EXIT_FAILURE, 0,

-- 
ldv