Ticket #61: file_info_overflow.diff.txt

Index: runtime.c
===================================================================
--- runtime.c   (revision 15279)
+++ runtime.c   (working copy)
@@ -3875,6 +3875,8 @@
   if(msg != C_SCHEME_FALSE) {
     int n = C_header_size(msg);
 
+    if (n >= sizeof(buffer))
+      n = sizeof(buffer) - 1;
     C_strncpy(buffer, (C_char *)C_data_pointer(msg), n);
     buffer[ n ] = '\0';
   }
@@ -3904,6 +3906,8 @@
 #ifdef C_MICROSOFT_WINDOWS
   int n = C_header_size(msg);
 
+  if (n >= sizeof(buffer))
+    n = sizeof(buffer) - 1;
   C_strncpy(buffer, (C_char *)((C_SCHEME_BLOCK *)msg)->data, n);
   buffer[ n ] = '\0';
   MessageBox(NULL, buffer, C_text("CHICKEN runtime"), MB_OK);
@@ -7302,6 +7306,7 @@
     C_strncpy(buf, C_c_string(channel), n);
     buf[ n ] = '\0';
     n = C_header_size(mode);
+    if (n >= sizeof(fmode)) n = sizeof(fmode) - 1;
     C_strncpy(fmode, C_c_string(mode), n);
     fmode[ n ] = '\0';
     fp = C_fopen(buf, fmode);
@@ -7999,19 +8004,26 @@
       v = C_SCHEME_FALSE,
       t, f1, f2, f3;
   int len = C_header_size(name);
+  char *buffer2;
 
 #ifdef _MSC_VER
   struct _stat buf;
 #else
   struct stat buf;
 #endif
-  C_strncpy(buffer, C_c_string(name), len);
-  buffer[ len ] = '\0';
 
+  buffer2 = buffer;
+  if(len >= sizeof(buffer)) {
+    if((buffer2 = (char *)C_malloc(len + 1)) == NULL)
+      barf(C_OUT_OF_MEMORY_ERROR, "stat");
+  }
+  C_strncpy(buffer2, C_c_string(name), len);
+  buffer2[ len ] = '\0';
+
 #ifdef _MSC_VER
-  if(_stat(buffer, &buf) != 0) v = C_SCHEME_FALSE;
+  if(_stat(buffer2, &buf) != 0) v = C_SCHEME_FALSE;
 #else
-  if(stat(buffer, &buf) != 0) v = C_SCHEME_FALSE;
+  if(stat(buffer2, &buf) != 0) v = C_SCHEME_FALSE;
 #endif
   else {
     switch(buf.st_mode & S_IFMT) {
@@ -8032,6 +8044,9 @@
                 C_fix(buf.st_size), C_fix(t), C_fix(buf.st_mode), C_fix(buf.st_uid) ); 
   }
 
+  if (buffer2 != buffer)
+    free(buffer2);
+
   C_kontinue(k, v);
 }