[newlib-cygwin] Cygwin: cygwin_conv_path: don't write to `to` before size is validated.

[Takashi Yano via Cygwin-cvs]

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=5dd3d58c02924b4b98b200c81c6c6d9fd5d9312a

commit 5dd3d58c02924b4b98b200c81c6c6d9fd5d9312a
Author: Jeremy Drake via Cygwin-patches <cygwin-patc...@cygwin.com>
Date:   Tue Apr 29 10:42:58 2025 -0700

    Cygwin: cygwin_conv_path: don't write to `to` before size is validated.
    
    In the CCP_POSIX_TO_WIN_W path, when `from` is a device,
    cygwin_conv_path would attempt to write to the `to` buffer before the
    validation of the `size`.  This resulted in an EFAULT error in the
    common use-case of passing `to` as NULL and `size` as 0 to get the
    required size of `to` for the conversion (as used in
    cygwin_create_path).  Instead, set a boolean and write to `to`
    after validation.
    
    Fixes: 43f65cdd7dae ("* Makefile.in (DLL_OFILES): Add fhandler_procsys.o.")
    Addresses: https://cygwin.com/pipermail/cygwin/2025-April/258068.html
    Signed-off-by: Jeremy Drake <cyg...@jdrake.com>

Diff:
---
 winsup/cygwin/path.cc       | 5 ++++-
 winsup/cygwin/release/3.6.2 | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/winsup/cygwin/path.cc b/winsup/cygwin/path.cc
index 7a08e978a..d26f99ee7 100644
--- a/winsup/cygwin/path.cc
+++ b/winsup/cygwin/path.cc
@@ -3911,6 +3911,7 @@ cygwin_conv_path (cygwin_conv_path_t what, const void 
*from, void *to,
   int how = what & CCP_CONVFLAGS_MASK;
   what &= CCP_CONVTYPE_MASK;
   int ret = -1;
+  bool prependglobalroot = false;
 
   __try
     {
@@ -4019,7 +4020,7 @@ cygwin_conv_path (cygwin_conv_path_t what, const void 
*from, void *to,
            {
              /* Device name points to somewhere else in the NT namespace.
                 Use GLOBALROOT prefix to convert to Win32 path. */
-             to = (void *) wcpcpy ((wchar_t *) to, ro_u_globalroot.Buffer);
+             prependglobalroot = true;
              lsiz += ro_u_globalroot.Length / sizeof (WCHAR);
            }
          /* TODO: Same ".\\" band-aid as in CCP_POSIX_TO_WIN_A case. */
@@ -4075,6 +4076,8 @@ cygwin_conv_path (cygwin_conv_path_t what, const void 
*from, void *to,
          stpcpy ((char *) to, buf);
          break;
        case CCP_POSIX_TO_WIN_W:
+         if (prependglobalroot)
+           to = (void *) wcpcpy ((PWCHAR) to, ro_u_globalroot.Buffer);
          wcpcpy ((PWCHAR) to, path);
          break;
        }
diff --git a/winsup/cygwin/release/3.6.2 b/winsup/cygwin/release/3.6.2
index bceabcab3..de6eae13f 100644
--- a/winsup/cygwin/release/3.6.2
+++ b/winsup/cygwin/release/3.6.2
@@ -13,3 +13,6 @@ Fixes:
 
 - Fix setting DOS attributes on devices.
   Addresse: https://cygwin.com/pipermail/cygwin/2025-April/257940.html
+
+- Fix cygwin_conv_path writing to 'to' pointer before size is checked.
+  Addresses: https://cygwin.com/pipermail/cygwin/2025-April/258068.html