diff options
author | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2016-12-29 08:44:22 -0500 |
---|---|---|
committer | Will Estes <westes575@gmail.com> | 2016-12-29 08:47:10 -0500 |
commit | 7975c43384d766ca12cb3f292754dbdc34168886 (patch) | |
tree | b3722c7577c3d972ab2649a668fe256959db758b /src | |
parent | 6bea32e937058ddba2812581b1396ff35aae8d70 (diff) |
scanner: allocate correct buffer size for m4 path.
Flex did not check the length of the m4 path which could lead to a
buffer overflow in some cases. Additionally, not all platforms believe
in PATH_MAX, so stop relying on it.
Fixes #138
Diffstat (limited to 'src')
-rw-r--r-- | src/main.c | 26 |
1 files changed, 12 insertions, 14 deletions
@@ -351,8 +351,8 @@ void check_options (void) if (!path) { m4 = M4; } else { + int m4_length = strlen(m4); do { - char m4_path[PATH_MAX]; size_t length = strlen(path); struct stat sbuf; @@ -360,19 +360,17 @@ void check_options (void) if (!endOfDir) endOfDir = path+length; - if (endOfDir + 2 >= path + sizeof(m4_path)) { - path = endOfDir+1; - continue; - } - - strncpy(m4_path, path, sizeof(m4_path)); - m4_path[endOfDir-path] = '/'; - m4_path[endOfDir-path+1] = '\0'; - strncat(m4_path, m4, sizeof(m4_path) - strlen(m4_path) - 1); - if (stat(m4_path, &sbuf) == 0 && - (S_ISREG(sbuf.st_mode)) && sbuf.st_mode & S_IXUSR) { - m4 = strdup(m4_path); - break; + { + char m4_path[endOfDir-path + 1 + m4_length + 1]; + + memcpy(m4_path, path, endOfDir-path); + m4_path[endOfDir-path] = '/'; + memcpy(m4_path + (endOfDir-path) + 1, m4, m4_length + 1); + if (stat(m4_path, &sbuf) == 0 && + (S_ISREG(sbuf.st_mode)) && sbuf.st_mode & S_IXUSR) { + m4 = strdup(m4_path); + break; + } } path = endOfDir+1; } while (path[0]); |