[Emacs-diffs] emacs-24 r117021: Fix bug #17334 with overrunning string bounds when PATH is broken.

[Eli Zaretskii]

------------------------------------------------------------
revno: 117021
revision-id: address@hidden
parent: address@hidden
fixes bug: http://debbugs.gnu.org/17334
committer: Eli Zaretskii <address@hidden>
branch nick: emacs-24
timestamp: Sat 2014-04-26 10:06:33 +0300
message:
  Fix bug #17334 with overrunning string bounds when PATH is broken.
  
   nt/cmdproxy.c (make_absolute): Don't copy more characters from PATH
   than a single directory name can hold.
modified:
  nt/ChangeLog                   changelog-20091113204419-o5vbwnq5f7feedwu-1545
  nt/cmdproxy.c                  cmdproxy.c-20091113204419-o5vbwnq5f7feedwu-1241

=== modified file 'nt/ChangeLog'
--- a/nt/ChangeLog      2014-04-21 06:37:21 +0000
+++ b/nt/ChangeLog      2014-04-26 07:06:33 +0000
@@ -1,3 +1,8 @@
+2014-04-26  Eli Zaretskii  <address@hidden>
+
+       * cmdproxy.c (make_absolute): Don't copy more characters from PATH
+       than a single directory name can hold.  (Bug#17334)
+
 2014-04-21  Eli Zaretskii  <address@hidden>
 
        * inc/ms-w32.h (lseek): Define only if not already a macro.

=== modified file 'nt/cmdproxy.c'
--- a/nt/cmdproxy.c     2014-01-16 06:24:06 +0000
+++ b/nt/cmdproxy.c     2014-04-26 07:06:33 +0000
@@ -292,11 +292,15 @@
 
   while (*path)
     {
+      size_t len;
+
       /* Get next directory from path.  */
       p = path;
       while (*p && *p != ';') p++;
-      strncpy (dir, path, p - path);
-      dir[p - path] = '\0';
+      /* A broken PATH could have too long directory names in it.  */
+      len = min (p - path, sizeof (dir) - 1);
+      strncpy (dir, path, len);
+      dir[len] = '\0';
 
       /* Search the directory for the program.  */
       if (search_dir (dir, prog, MAX_PATH, absname) > 0)