[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #65172] Fix a buffer overrun on a variable with a long name.
From: |
Dmitry Goncharov |
Subject: |
[bug #65172] Fix a buffer overrun on a variable with a long name. |
Date: |
Tue, 16 Jan 2024 17:47:58 -0500 (EST) |
Follow-up Comment #1, bug#65172 (group make):
A user reported a buffer overflow on a variable with a long name.
Here is a fix.
[SV 65172] Fix a buffer overrun on a variable with a long name.
* src/expand.c (recursively_expand_for_file): Fix a buffer overrun.
* tests/scripts/functions/shell: Add a test.
diff --git a/src/expand.c b/src/expand.c
index fe09c9c3..283a3d47 100644
--- a/src/expand.c
+++ b/src/expand.c
@@ -164,9 +164,11 @@ recursively_expand_for_file (struct variable *v, struct
file *file)
/* We could create a hash for the original environment for speed, but
a
reasonably written makefile shouldn't hit this situation... */
for (ep = environ; *ep != 0; ++ep)
- if ((*ep)[nl] == '=' && strncmp (*ep, v->name, nl) == 0)
- return xstrdup ((*ep) + nl + 1);
-
+ {
+ size_t len = strlen (*ep);
+ if (len >= nl && (*ep)[nl] == '=' && memcmp (*ep, v->name, nl) ==
0)
+ return xstrdup ((*ep) + nl + 1);
+ }
/* If there's nothing in the parent environment, use the empty string.
This isn't quite correct since the variable should not exist at
all,
but getting that to work would be involved. */
Here is a test.
[SV 65172] Fix a buffer overrun on a variable with a long name.
* src/expand.c (recursively_expand_for_file): Fix a buffer overrun.
* tests/scripts/functions/shell: Add a test.
diff --git a/tests/scripts/functions/shell b/tests/scripts/functions/shell
index e5c346cc..b9b9ee32 100644
--- a/tests/scripts/functions/shell
+++ b/tests/scripts/functions/shell
@@ -213,4 +213,15 @@ endif
'--no-print-directory -j2', ": 2\n: 1");
}
+if ($port_type eq 'UNIX') {
+ # sv 65172.
+ # Buffer overrun in recursively_expand_for_file on a variable with a
long
+ # name.
+ my $v = "a1234567890" x 4 x 1000;
+ run_make_test("
+export $v=\$(shell echo hello)
+all:; \@echo \$\$$v
+", '', "hello\n");
+}
+
1;
The original mail is here
https://lists.gnu.org/archive/html/bug-make/2024-01/msg00044.html
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?65172>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/