svn commit: r287266 - stable/10/usr.bin/find

Fri, 28 Aug 2015 13:56:34 -0700 

Author: jilles
Date: Fri Aug 28 20:53:08 2015
New Revision: 287266
URL: https://svnweb.freebsd.org/changeset/base/287266

Log:
  MFC r286344: find: Fix segfault with very long path in -exec/-ok ... {} \;.
  
  If the resulting argument is longer than MAXPATHLEN, realloc() was called to
  extend the space, but the new pointer was not correctly stored.
  
  Different from what OpenBSD has done, rewrite brace_subst() to calculate the
  necessary space first and realloc() at most once.
  
  As before, the e_len fields are not updated in case of a realloc.
  Therefore, a following long argument will do another realloc.
  
  PR:           201750

Modified:
  stable/10/usr.bin/find/extern.h
  stable/10/usr.bin/find/misc.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/usr.bin/find/extern.h
==============================================================================
--- stable/10/usr.bin/find/extern.h     Fri Aug 28 20:06:58 2015        
(r287265)
+++ stable/10/usr.bin/find/extern.h     Fri Aug 28 20:53:08 2015        
(r287266)
@@ -32,7 +32,7 @@
 
 #include <sys/cdefs.h>
 
-void    brace_subst(char *, char **, char *, int);
+void    brace_subst(char *, char **, char *, size_t);
 PLAN   *find_create(char ***);
 int     find_execute(PLAN *, char **);
 PLAN   *find_formplan(char **);

Modified: stable/10/usr.bin/find/misc.c
==============================================================================
--- stable/10/usr.bin/find/misc.c       Fri Aug 28 20:06:58 2015        
(r287265)
+++ stable/10/usr.bin/find/misc.c       Fri Aug 28 20:53:08 2015        
(r287266)
@@ -57,23 +57,33 @@ __FBSDID("$FreeBSD$");
  *     Replace occurrences of {} in s1 with s2 and return the result string.
  */
 void
-brace_subst(char *orig, char **store, char *path, int len)
+brace_subst(char *orig, char **store, char *path, size_t len)
 {
-       int plen;
-       char ch, *p;
+       const char *pastorigend, *p, *q;
+       char *dst;
+       size_t newlen, plen;
 
        plen = strlen(path);
-       for (p = *store; (ch = *orig) != '\0'; ++orig)
-               if (ch == '{' && orig[1] == '}') {
-                       while ((p - *store) + plen > len)
-                               if (!(*store = realloc(*store, len *= 2)))
-                                       err(1, NULL);
-                       memmove(p, path, plen);
-                       p += plen;
-                       ++orig;
-               } else
-                       *p++ = ch;
-       *p = '\0';
+       newlen = strlen(orig) + 1;
+       pastorigend = orig + newlen;
+       for (p = orig; (q = strstr(p, "{}")) != NULL; p = q + 2) {
+               if (plen > 2 && newlen + plen - 2 < newlen)
+                       errx(2, "brace_subst overflow");
+               newlen += plen - 2;
+       }
+       if (newlen > len) {
+               *store = reallocf(*store, newlen);
+               if (*store == NULL)
+                       err(2, NULL);
+       }
+       dst = *store;
+       for (p = orig; (q = strstr(p, "{}")) != NULL; p = q + 2) {
+               memcpy(dst, p, q - p);
+               dst += q - p;
+               memcpy(dst, path, plen);
+               dst += plen;
+       }
+       memcpy(dst, p, pastorigend - p);
 }
 
 /*
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"

Reply via email to