From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-28549-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 14614 invoked by alias); 27 Dec 2010 12:00:27 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 28549
Received: (qmail 6505 invoked from network); 27 Dec 2010 12:00:26 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received-SPF: none (ns1.primenet.com.au: domain at rzhou.org does not designate permitted sender hosts)
Date: Mon, 27 Dec 2010 07:00:23 -0500
From: Ricky Zhou <ricky@rzhou.org>
To: zsh-workers@zsh.org
Subject: [PATCH] Fix buffer overflow in mindist.
Message-ID: <20101227120023.GA27174@alpha.rzhou.org>
Mail-Followup-To: zsh-workers@zsh.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="k1lZvvs/B4yU6o8G"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)

--k1lZvvs/B4yU6o8G
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

(reported at https://bugzilla.redhat.com/show_bug.cgi?id=3D591377)

---
 Src/utils.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Src/utils.c b/Src/utils.c
index b64530b..513bc7e 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -3665,14 +3665,21 @@ static int
 mindist(char *dir, char *mindistguess, char *mindistbest)
 {
     int mindistd, nd;
+    int len;
     DIR *dd;
     char *fn;
-    char buf[PATH_MAX];
+    char buf[PATH_MAX + 1];
=20
     if (dir[0] =3D=3D '\0')
 	dir =3D ".";
     mindistd =3D 100;
-    sprintf(buf, "%s/%s", dir, mindistguess);
+
+    /* input was too long and result got truncated */
+    len =3D snprintf(buf, sizeof(buf), "%s/%s", dir, mindistguess);
+    if (len >=3D sizeof(buf) || len < 0) {
+        return mindistd;
+    }
+
     if (access(unmeta(buf), F_OK) =3D=3D 0) {
 	strcpy(mindistbest, mindistguess);
 	return 0;
--=20
1.7.3.4


--k1lZvvs/B4yU6o8G
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJNGH/XAAoJEAo9eiREaTF2mN4QAMWDDJyLkVkk9S66ehs7Azqq
Wy8MwrCo3AW5TvJBaPzAzN8cyVfrUZ9DmSfcPnMYWdVmq+wELZCtcLT4OzlvPj6F
N9UF01GC+0kaN5QOUTwv1l/W+YwB/OQBkjF1yrrrBhhnZsL5Y6w+LDBYovcSUfAt
JFMUEVNCQnKcAFKVMtO52DESfSan0x8FC5MUtwQGrf3xwoc+ZimNiNK2iUBGwlt2
4PRxZ54DMT3OZCsOPGxNHKqxqdCk/WVvhWXZmkfPfzGYaRn4oRx33a9Ej8899Rt4
xNdGTpULFYWFM1VyTwIK0iuInjgg2KB1f8GMhJfI8BUt7FkFbts0GxVM5v3Z8QiL
4nsvuYjoAgPX+8cSk8EMtNyzAegAGoS+LlemTM67oksohfxe5ECynxW9dq9zdItT
rPaPQVxr5TgBPGxetlmjOWAlP/KvZMjWikgStn5NpOLXtiHpedo4v/GDk9Sub9Kv
DfxrOnDjnY3VjDJ9ze08S05cYcqkkcpEZBvM0cU2opBtrjvSPEmfToXJsnUeYwqO
6hQ9gOcpUnEM67uqdRrVOJlUuGvQe7VLorJ+iPHSfo8/mOWWQ0ufQJAvI3cLOwEv
aBrHCrrRYyL0sMbNoIOx3//EwJPIdlcb98uF8MpMO5DfkuzVVRYMsihQ/mBk7cR/
luAo3oUbDUS6tz36z1J3
=RDmx
-----END PGP SIGNATURE-----

--k1lZvvs/B4yU6o8G--