bug-make
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #65172] Fix a buffer overrun on a variable with a long name.

From: Dmitry Goncharov
Subject: [bug #65172] Fix a buffer overrun on a variable with a long name.
Date: Tue, 16 Jan 2024 17:47:58 -0500 (EST) 
Follow-up Comment #1, bug#65172 (group make):

A user reported a buffer overflow on a variable with a long name.


Here is a fix.

    [SV 65172] Fix a buffer overrun on a variable with a long name.

    * src/expand.c (recursively_expand_for_file): Fix a buffer overrun.
    * tests/scripts/functions/shell: Add a test.

diff --git a/src/expand.c b/src/expand.c
index fe09c9c3..283a3d47 100644
--- a/src/expand.c
+++ b/src/expand.c
@@ -164,9 +164,11 @@ recursively_expand_for_file (struct variable *v, struct
file *file)
       /* We could create a hash for the original environment for speed, but
a
          reasonably written makefile shouldn't hit this situation...  */
       for (ep = environ; *ep != 0; ++ep)
-        if ((*ep)[nl] == '=' && strncmp (*ep, v->name, nl) == 0)
-          return xstrdup ((*ep) + nl + 1);
-
+        {
+          size_t len = strlen (*ep);
+          if (len >= nl && (*ep)[nl] == '=' && memcmp (*ep, v->name, nl) ==
0)
+            return xstrdup ((*ep) + nl + 1);
+        }
       /* If there's nothing in the parent environment, use the empty string.
          This isn't quite correct since the variable should not exist at
all,
          but getting that to work would be involved. */




Here is a test.

    [SV 65172] Fix a buffer overrun on a variable with a long name.

    * src/expand.c (recursively_expand_for_file): Fix a buffer overrun.
    * tests/scripts/functions/shell: Add a test.

diff --git a/tests/scripts/functions/shell b/tests/scripts/functions/shell
index e5c346cc..b9b9ee32 100644
--- a/tests/scripts/functions/shell
+++ b/tests/scripts/functions/shell
@@ -213,4 +213,15 @@ endif
                   '--no-print-directory -j2', ": 2\n: 1");
 }

+if ($port_type eq 'UNIX') {
+    # sv 65172.
+    # Buffer overrun in recursively_expand_for_file on a variable with a
long
+    # name.
+    my $v = "a1234567890" x 4 x 1000;
+    run_make_test("
+export $v=\$(shell echo hello)
+all:; \@echo \$\$$v
+", '', "hello\n");
+}
+
 1;



The original mail is here
https://lists.gnu.org/archive/html/bug-make/2024-01/msg00044.html


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?65172>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]