[ping] [PATCH] find: fix potential buffer overflow in -execdir and -okdir

[Dmitry V. Levin]

ping?

On Thu, May 16, 2013 at 03:48:21AM +0400, Dmitry V. Levin wrote:
> * lib/buildcmd.c (bc_push_arg): Take prefix length into account
> to avoid state->argbuf overflow.
> * NEWS: Mention this fix.
> ---
> 
> It would be a security issue if one could control factors triggering this
> bug, which include a directory with thousands of files.
> 
>  ChangeLog      | 7 +++++++
>  NEWS           | 2 ++
>  lib/buildcmd.c | 2 +-
>  3 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/ChangeLog b/ChangeLog
> index e6914ff..7b4f3e0 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,10 @@
> +2013-05-15  Dmitry V. Levin  <address@hidden>
> +
> +     find: fix potential buffer overflow in -execdir and -okdir.
> +     * lib/buildcmd.c (bc_push_arg): Take prefix length into account
> +     to avoid state->argbuf overflow.
> +     * NEWS: Mention this fix.
> +
>  2013-04-22  Paul Eggert  <address@hidden>
>  
>       More removal of support for -perm +MODE.
> diff --git a/NEWS b/NEWS
> index 4349a21..010ba6e 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -30,6 +30,8 @@ The documentation for xargs now warns about parallel 
> processes (xargs
>  Some bugs in 4.5.11 were fixed without adding them to the bug
>  database, though they are in the ChangeLog:
>  
> +*** find -execdir/-okdir potential buffer overflow.
> +
>  *** Use of [[ ... ]] in find/testsuite/sv-bug-32043.sh
>  
>  *** Don't delete header files in "lib/" for "make clean".
> diff --git a/lib/buildcmd.c b/lib/buildcmd.c
> index d135692..2616ed6 100644
> --- a/lib/buildcmd.c
> +++ b/lib/buildcmd.c
> @@ -364,7 +364,7 @@ bc_push_arg (struct buildcmd_control *ctl,
>  
>    if (!terminate)
>      {
> -      if (state->cmd_argv_chars + len > ctl->arg_max)
> +      if (state->cmd_argv_chars + len + pfxlen > ctl->arg_max)
>          {
>            if (initial_args || state->cmd_argc == ctl->initial_argc)
>              error (EXIT_FAILURE, 0,
> 
> -- 
> ldv

-- 
ldv