[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug #36641] Crash when using ridiculously large target names
From: |
Rob Walker |
Subject: |
Re: [bug #36641] Crash when using ridiculously large target names |
Date: |
Tue, 12 Jun 2012 12:53:10 -0700 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 |
On 6/12/12 10:16 AM, anonymous wrote:
> URL:
> <http://savannah.gnu.org/bugs/?36641>
>
> Summary: Crash when using ridiculously large target names
> Project: make
> Submitted by: None
> Submitted on: Tue 12 Jun 2012 05:16:49 PM UTC
> Severity: 3 - Normal
> Item Group: Bug
> Status: None
> Privacy: Public
> Assigned to: None
> Open/Closed: Open
> Discussion Lock: Any
> Component Version: 3.82
> Operating System: Any
> Fixed Release: None
> Triage Status: None
>
> _______________________________________________________
>
> Details:
>
> If the stem len is bigger than PATH_MAX, it results in a buffer over run:
>
> 455a456
>> unsigned int stemlen_copy;
> 494,495c495,497
> < strncpy (stem_str, stem, stemlen);
> < stem_str[stemlen] = '\0';
> ---
>> stemlen_copy = stemlen > sizeof(stem_str) ? sizeof(stem_str) :
> stemlen;
>> strncpy (stem_str, stem, stemlen_copy);
>> stem_str[stemlen_copy] = '\0';
The proposed patch has yet another buffer overrun, off by one.
-Rob