From: "Mark E." <snowball3 AT bigfoot DOT com>
To: djgpp-workers AT delorie DOT com
Date: Mon, 9 Jul 2001 23:42:35 -0400
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: glob buffer overflow fix
Message-ID: <3B4A416B.14717.344112@localhost>
X-mailer: Pegasus Mail for Win32 (v3.12c)
Reply-To: djgpp-workers AT delorie DOT com

This patch adds buffer overflow checks to the output buffer. The idea is that 
a filename in the output buffer can't be valid and won't match if its size is 
greater or equal to 2000 bytes (or whatever impossible length).

*** /cvs/djgpp/src/libc/posix/glob/glob.c	Thu Jun  3 13:27:38 1999
--- glob.c	Mon Jul  9 23:37:44 2001
***************
*** 15,20 ****
--- 15,22 ----
  #include <glob.h>
  #include <crt0.h>
  
+ #define PATHBUF_LEN 2000
+ 
  typedef struct Save {
    struct Save *prev;
    char *entry;
*************** static int save_count;
*** 25,30 ****
--- 27,33 ----
  static int flags;
  static int (*errfunc)(const char *epath, int eerno);
  static char *pathbuf;
+ static char *pathbuf_end;
  static int wildcard_nesting;
  static char use_lfn;
  static char preserve_case;
*************** glob2(const char *pattern, char *epathbu
*** 180,186 ****
    pp = pattern;
    bp = epathbuf;
    pslash = bp-1;
!   while (1)
    {
      if (*pp == ':' || *pp == '\\' || *pp == '/')
      {
--- 183,189 ----
    pp = pattern;
    bp = epathbuf;
    pslash = bp-1;
!   while (bp < pathbuf_end)
    {
      if (*pp == ':' || *pp == '\\' || *pp == '/')
      {
*************** glob2(const char *pattern, char *epathbu
*** 228,233 ****
--- 231,240 ----
    }
    *bp = 0;
  
+   /* A pattern this big won't match any file.  */
+   if (bp == pathbuf_end && *pp)
+     return 0;
+ 
    if (*pp == 0) /* end of pattern? */
    {
      if (__file_exists(pathbuf))
*************** str_compare(const void *va, const void *
*** 348,357 ****
  int
  glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, 
int _eerrno), glob_t *_pglob)
  {
!   char path_buffer[2000];
    int l_ofs, l_ptr;
  
    pathbuf = path_buffer+1;
    flags = _flags;
    errfunc = _errfunc;
    wildcard_nesting = 0;
--- 355,365 ----
  int
  glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, 
int _eerrno), glob_t *_pglob)
  {
!   char path_buffer[PATHBUF_LEN + 1];
    int l_ofs, l_ptr;
  
    pathbuf = path_buffer+1;
+   pathbuf_end = path_buffer + PATHBUF_LEN;
    flags = _flags;
    errfunc = _errfunc;
    wildcard_nesting = 0;