diff options
| author | Eli Zaretskii | 2014-04-26 10:06:33 +0300 |
|---|---|---|
| committer | Eli Zaretskii | 2014-04-26 10:06:33 +0300 |
| commit | 7ece6d40142cad22fe342ae522e24c9b8b5e75a3 (patch) | |
| tree | e3d5ea90a5e58c3a444caa5ed27247b0e0d6dd2a /nt/cmdproxy.c | |
| parent | 0507406b6ca75c4366dd16855123e8fc9b012c6b (diff) | |
| download | emacs-7ece6d40142cad22fe342ae522e24c9b8b5e75a3.tar.gz emacs-7ece6d40142cad22fe342ae522e24c9b8b5e75a3.zip | |
Fix bug #17334 with overrunning string bounds when PATH is broken.
nt/cmdproxy.c (make_absolute): Don't copy more characters from PATH
than a single directory name can hold.
Diffstat (limited to 'nt/cmdproxy.c')
| -rw-r--r-- | nt/cmdproxy.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/nt/cmdproxy.c b/nt/cmdproxy.c index f3433f63684..e48ca63a257 100644 --- a/nt/cmdproxy.c +++ b/nt/cmdproxy.c | |||
| @@ -292,11 +292,15 @@ make_absolute (const char *prog) | |||
| 292 | 292 | ||
| 293 | while (*path) | 293 | while (*path) |
| 294 | { | 294 | { |
| 295 | size_t len; | ||
| 296 | |||
| 295 | /* Get next directory from path. */ | 297 | /* Get next directory from path. */ |
| 296 | p = path; | 298 | p = path; |
| 297 | while (*p && *p != ';') p++; | 299 | while (*p && *p != ';') p++; |
| 298 | strncpy (dir, path, p - path); | 300 | /* A broken PATH could have too long directory names in it. */ |
| 299 | dir[p - path] = '\0'; | 301 | len = min (p - path, sizeof (dir) - 1); |
| 302 | strncpy (dir, path, len); | ||
| 303 | dir[len] = '\0'; | ||
| 300 | 304 | ||
| 301 | /* Search the directory for the program. */ | 305 | /* Search the directory for the program. */ |
| 302 | if (search_dir (dir, prog, MAX_PATH, absname) > 0) | 306 | if (search_dir (dir, prog, MAX_PATH, absname) > 0) |