[PATCH] GNU canonicalize_file_name can return a NULL pointer

[PATCH] GNU canonicalize_file_name can return a NULL pointer

[Timothy Redaelli]

[-- Attachment #1: Type: text/plain, Size: 306 bytes --]

Hi,
In Src/hist.c on line 1668 there is a NULL pointer dereference because GNU  
canonicalize_file_name returns NULL on some errors.

In attachment you will find a small patch that fixes that bug.

If you want to reproduce it you can do (under GNU/Linux) a simple: zsh -c  
'a=(a /b) ; echo ${a:A}'

Thanks

[-- Attachment #2: 0001-GNU-canonicalize_file_name-can-return-a-NULL-pointer.patch --]
[-- Type: application/octet-stream, Size: 677 bytes --]

From cd107ed1c3cc638f0d699516b544128d1b1c7f1d Mon Sep 17 00:00:00 2001
From: Timothy Redaelli <timothy.redaelli@gmail.com>
Date: Tue, 7 Feb 2012 19:36:42 +0100
Subject: [PATCH] GNU canonicalize_file_name can return a NULL pointer.

---
 Src/hist.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/Src/hist.c b/Src/hist.c
index aeb6edd..4d522dd 100644
--- a/Src/hist.c
+++ b/Src/hist.c
@@ -1664,6 +1664,11 @@ chrealpath(char **junkptr)
 	    errno == ENAMETOOLONG || errno == ENOMEM)
 	    return 0;
 
+#ifdef HAVE_CANONICALIZE_FILE_NAME
+	if (!real)
+	    return 0;
+#endif
+
 	if (nonreal == *junkptr) {
 	    *real = '\0';
 	    break;
-- 
1.7.9

Re: [PATCH] GNU canonicalize_file_name can return a NULL pointer

[Frank Terbeck]

Timothy Redaelli wrote:
> In Src/hist.c on line 1668 there is a NULL pointer dereference because
> GNU canonicalize_file_name returns NULL on some errors.
>
> In attachment you will find a small patch that fixes that bug.

Thanks!

I've looked at the code and it bails out for a couple of errors in
`errno'. I've looked at how canonicalize_file_name() is implemented by
glibc, and it's just a short hand for "realpath(foo, NULL)". So at least
on GNU systems the errors from realpath(3) apply to
canonicalize_file_name(), too. Here's the current standard:

<http://pubs.opengroup.org/onlinepubs/9699919799/functions/realpath.html>

I don't know if it's worth checking all those or just go with bailing
out if `real' is NULL.

Both HAVE_REALPATH and HAVE_CANONICALIZE_FILE_NAME use a `real' pointer,
so I think the "if (!null)" test should be in there unconditionally,
without the `#ifdef'.

Comments?

Regards, Frank

Re: [PATCH] GNU canonicalize_file_name can return a NULL pointer

[Timothy Redaelli]

On Tue, 07 Feb 2012 21:10:58 +0100, Frank Terbeck <ft@bewatermyfriend.org>  
wrote:

> Timothy Redaelli wrote:
>> In Src/hist.c on line 1668 there is a NULL pointer dereference because
>> GNU canonicalize_file_name returns NULL on some errors.
>>
>> In attachment you will find a small patch that fixes that bug.
>
> Thanks!
>
> I've looked at the code and it bails out for a couple of errors in
> `errno'. I've looked at how canonicalize_file_name() is implemented by
> glibc, and it's just a short hand for "realpath(foo, NULL)". So at least
> on GNU systems the errors from realpath(3) apply to
> canonicalize_file_name(), too. Here's the current standard:
>
> <http://pubs.opengroup.org/onlinepubs/9699919799/functions/realpath.html>
>
> I don't know if it's worth checking all those or just go with bailing
> out if `real' is NULL.
>
> Both HAVE_REALPATH and HAVE_CANONICALIZE_FILE_NAME use a `real' pointer,
> so I think the "if (!null)" test should be in there unconditionally,
> without the `#ifdef'.
>
> Comments?

Hi,
in HAVE_REALPATH branch real it's not a point, but it's defined as  
real[PATH_MAX] so it cannot be NULL.
We can make the if unconditionally, but it's quite useless (because it's  
always false in the HAVE_REALPATH branch).