Ticket #61: file_info_overflow.diff.txt

File file_info_overflow.diff.txt, 1.9 KB (added by Jim Ursetto, 11 years ago)
Line 
1Index: runtime.c
2===================================================================
3--- runtime.c   (revision 15279)
4+++ runtime.c   (working copy)
5@@ -3875,6 +3875,8 @@
6   if(msg != C_SCHEME_FALSE) {
7     int n = C_header_size(msg);
8 
9+    if (n >= sizeof(buffer))
10+      n = sizeof(buffer) - 1;
11     C_strncpy(buffer, (C_char *)C_data_pointer(msg), n);
12     buffer[ n ] = '\0';
13   }
14@@ -3904,6 +3906,8 @@
15 #ifdef C_MICROSOFT_WINDOWS
16   int n = C_header_size(msg);
17 
18+  if (n >= sizeof(buffer))
19+    n = sizeof(buffer) - 1;
20   C_strncpy(buffer, (C_char *)((C_SCHEME_BLOCK *)msg)->data, n);
21   buffer[ n ] = '\0';
22   MessageBox(NULL, buffer, C_text("CHICKEN runtime"), MB_OK);
23@@ -7302,6 +7306,7 @@
24     C_strncpy(buf, C_c_string(channel), n);
25     buf[ n ] = '\0';
26     n = C_header_size(mode);
27+    if (n >= sizeof(fmode)) n = sizeof(fmode) - 1;
28     C_strncpy(fmode, C_c_string(mode), n);
29     fmode[ n ] = '\0';
30     fp = C_fopen(buf, fmode);
31@@ -7999,19 +8004,26 @@
32       v = C_SCHEME_FALSE,
33       t, f1, f2, f3;
34   int len = C_header_size(name);
35+  char *buffer2;
36 
37 #ifdef _MSC_VER
38   struct _stat buf;
39 #else
40   struct stat buf;
41 #endif
42-  C_strncpy(buffer, C_c_string(name), len);
43-  buffer[ len ] = '\0';
44 
45+  buffer2 = buffer;
46+  if(len >= sizeof(buffer)) {
47+    if((buffer2 = (char *)C_malloc(len + 1)) == NULL)
48+      barf(C_OUT_OF_MEMORY_ERROR, "stat");
49+  }
50+  C_strncpy(buffer2, C_c_string(name), len);
51+  buffer2[ len ] = '\0';
52+
53 #ifdef _MSC_VER
54-  if(_stat(buffer, &buf) != 0) v = C_SCHEME_FALSE;
55+  if(_stat(buffer2, &buf) != 0) v = C_SCHEME_FALSE;
56 #else
57-  if(stat(buffer, &buf) != 0) v = C_SCHEME_FALSE;
58+  if(stat(buffer2, &buf) != 0) v = C_SCHEME_FALSE;
59 #endif
60   else {
61     switch(buf.st_mode & S_IFMT) {
62@@ -8032,6 +8044,9 @@
63                 C_fix(buf.st_size), C_fix(t), C_fix(buf.st_mode), C_fix(buf.st_uid) );
64   }
65 
66+  if (buffer2 != buffer)
67+    free(buffer2);
68+
69   C_kontinue(k, v);
70 }
71