From 7975c43384d766ca12cb3f292754dbdc34168886 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Thu, 29 Dec 2016 08:44:22 -0500
Subject: [PATCH] scanner: allocate correct buffer size for m4 path.

Flex did not check the length of the m4 path which could lead to a
buffer overflow in some cases. Additionally, not all platforms believe
in PATH_MAX, so stop relying on it.

Fixes #138
---
 src/main.c | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/src/main.c b/src/main.c
index 9103abf..0c0e360 100644
--- a/src/main.c
+++ b/src/main.c
@@ -351,8 +351,8 @@ void check_options (void)
 			if (!path) {
 				m4 = M4;
 			} else {
+				int m4_length = strlen(m4);
 				do {
-					char m4_path[PATH_MAX];
 					size_t length = strlen(path);
 					struct stat sbuf;
 
@@ -360,19 +360,17 @@ void check_options (void)
 					if (!endOfDir)
 						endOfDir = path+length;
 
-					if (endOfDir + 2 >= path + sizeof(m4_path)) {
-					    path = endOfDir+1;
-						continue;
-					}
-
-					strncpy(m4_path, path, sizeof(m4_path));
-					m4_path[endOfDir-path] = '/';
-					m4_path[endOfDir-path+1] = '\0';
-					strncat(m4_path, m4, sizeof(m4_path) - strlen(m4_path) - 1);
-					if (stat(m4_path, &sbuf) == 0 &&
-						(S_ISREG(sbuf.st_mode)) && sbuf.st_mode & S_IXUSR) {
-						m4 = strdup(m4_path);
-						break;
+					{
+						char m4_path[endOfDir-path + 1 + m4_length + 1];
+
+						memcpy(m4_path, path, endOfDir-path);
+						m4_path[endOfDir-path] = '/';
+						memcpy(m4_path + (endOfDir-path) + 1, m4, m4_length + 1);
+						if (stat(m4_path, &sbuf) == 0 &&
+							(S_ISREG(sbuf.st_mode)) && sbuf.st_mode & S_IXUSR) {
+							m4 = strdup(m4_path);
+							break;
+						}
 					}
 					path = endOfDir+1;
 				} while (path[0]);
-- 
2.40.0