Date: Tue, 10 Jul 2001 11:21:30 +0300 (IDT)
From: Eli Zaretskii <eliz AT is DOT elta DOT co DOT il>
X-Sender: eliz AT is
To: "Mark E." <snowball3 AT bigfoot DOT com>
cc: djgpp-workers AT delorie DOT com
Subject: Re: glob buffer overflow fix
In-Reply-To: <3B4A416B.14717.344112@localhost>
Message-ID: <Pine.SUN.3.91.1010710112112.18978Q-100000@is>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Reply-To: djgpp-workers AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: djgpp-workers AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk


On Mon, 9 Jul 2001, Mark E. wrote:

> This patch adds buffer overflow checks to the output buffer. The
> idea is that a filename in the output buffer can't be valid and
> won't match if its size is greater or equal to 2000 bytes (or
> whatever impossible length).

Yes, I agree.

> +   /* A pattern this big won't match any file.  */
> +   if (bp == pathbuf_end && *pp)
> +     return 0;

I suggest "bp >= pathbuf_end" instead.  In a deeply-recursive function
like this, you can never know ;-)

>   glob(const char *_pattern, int _flags, int (*_errfunc)(const char *_epath, 
> int _eerrno), glob_t *_pglob)
>   {
> !   char path_buffer[PATHBUF_LEN + 1];
>     int l_ofs, l_ptr;
>   
>     pathbuf = path_buffer+1;
> +   pathbuf_end = path_buffer + PATHBUF_LEN;

Perhaps we should add a test against PATHBUF_LEN right here in `glob',
even before you start expanding.