]> granicus.if.org Git - flex/commitdiff
scanner: allocate correct buffer size for m4 path.
authorSamuel Thibault <samuel.thibault@ens-lyon.org>
Thu, 29 Dec 2016 13:44:22 +0000 (08:44 -0500)
committerWill Estes <westes575@gmail.com>
Thu, 29 Dec 2016 13:47:10 +0000 (08:47 -0500)
Flex did not check the length of the m4 path which could lead to a
buffer overflow in some cases. Additionally, not all platforms believe
in PATH_MAX, so stop relying on it.

Fixes #138

src/main.c

index 9103abf33d8ea2bfe42829d1b2b510e99661c9c3..0c0e360179c3ce6250d5c0a1d4dae97c1722125e 100644 (file)
@@ -351,8 +351,8 @@ void check_options (void)
                        if (!path) {
                                m4 = M4;
                        } else {
+                               int m4_length = strlen(m4);
                                do {
-                                       char m4_path[PATH_MAX];
                                        size_t length = strlen(path);
                                        struct stat sbuf;
 
@@ -360,19 +360,17 @@ void check_options (void)
                                        if (!endOfDir)
                                                endOfDir = path+length;
 
-                                       if (endOfDir + 2 >= path + sizeof(m4_path)) {
-                                           path = endOfDir+1;
-                                               continue;
-                                       }
-
-                                       strncpy(m4_path, path, sizeof(m4_path));
-                                       m4_path[endOfDir-path] = '/';
-                                       m4_path[endOfDir-path+1] = '\0';
-                                       strncat(m4_path, m4, sizeof(m4_path) - strlen(m4_path) - 1);
-                                       if (stat(m4_path, &sbuf) == 0 &&
-                                               (S_ISREG(sbuf.st_mode)) && sbuf.st_mode & S_IXUSR) {
-                                               m4 = strdup(m4_path);
-                                               break;
+                                       {
+                                               char m4_path[endOfDir-path + 1 + m4_length + 1];
+
+                                               memcpy(m4_path, path, endOfDir-path);
+                                               m4_path[endOfDir-path] = '/';
+                                               memcpy(m4_path + (endOfDir-path) + 1, m4, m4_length + 1);
+                                               if (stat(m4_path, &sbuf) == 0 &&
+                                                       (S_ISREG(sbuf.st_mode)) && sbuf.st_mode & S_IXUSR) {
+                                                       m4 = strdup(m4_path);
+                                                       break;
+                                               }
                                        }
                                        path = endOfDir+1;
                                } while (path[0]);