From c9e93e6739230e8036c5a8818658d960c2c4efe2 Mon Sep 17 00:00:00 2001
From: Jilles Tjoelker <jilles@FreeBSD.org>
Date: Sun, 22 May 2011 12:12:28 +0000
Subject: [PATCH] sh: Fix bss-based buffer overflow in . builtin.

If the length of a directory in PATH together with the given filename
exceeded FILENAME_MAX (which may happen even for pathnames that work), a
static buffer was overflown.

The static buffer is unnecessary, we can use the stalloc() stack.

Obtained from:	NetBSD
MFC after:	1 week
---
 bin/sh/main.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/bin/sh/main.c b/bin/sh/main.c
index d9629204647b..408d37c1b11b 100644
--- a/bin/sh/main.c
+++ b/bin/sh/main.c
@@ -281,7 +281,6 @@ readcmdfile(const char *name)
 static char *
 find_dot_file(char *basename)
 {
-	static char localname[FILENAME_MAX+1];
 	char *fullname;
 	const char *path = pathval();
 	struct stat statb;
@@ -291,10 +290,14 @@ find_dot_file(char *basename)
 		return basename;
 
 	while ((fullname = padvance(&path, basename)) != NULL) {
-		strcpy(localname, fullname);
+		if ((stat(fullname, &statb) == 0) && S_ISREG(statb.st_mode)) {
+			/*
+			 * Don't bother freeing here, since it will
+			 * be freed by the caller.
+			 */
+			return fullname;
+		}
 		stunalloc(fullname);
-		if ((stat(fullname, &statb) == 0) && S_ISREG(statb.st_mode))
-			return localname;
 	}
 	return basename;
 }