[PATCH 3/4] stdlib: Fix arithmetic overflows in realpath [BZ #26592]
Adhemerval Zanella
adhemerval.zanella@linaro.org
Thu Sep 10 15:19:14 GMT 2020
The realpath uses an end-of-array pointer 'rpath_limit', and makes
invalid (overflowing) comparisons against it to catch overflow:
117 /* Find end of path component. */
118 if (dest + (end-start) >= rpath_limit)
I could not see a easy way to stress this issue since it rely on how
the input argument is layout in memory along with a large filename
name that trigger the overflow comparison. However, the fix is
simple enough where it simple reorganize arithmetic in the comparison.
Checked on x86_64-linux-gnu and i686-linux-gnu.
---
stdlib/canonicalize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 6798ed8963..44a25a9a59 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -136,7 +136,7 @@ __realpath (const char *name, char *resolved)
if (dest[-1] != '/')
*dest++ = '/';
- if (dest + (end - start) >= rpath_limit)
+ if (end - start >= rpath_limit - dest)
{
ptrdiff_t dest_offset = dest - rpath;
char *new_rpath;
--
2.25.1
More information about the Libc-alpha
mailing list