Prevent buffer overflow if NLSPATH is too long

2000-09-08 11:42:37 +00:00 · 2000-09-08 11:42:37 +00:00 · 86797bf956
commit 86797bf956
parent f907abc0b3
1 changed files with 7 additions and 1 deletions
--- a/lib/libc/nls/msgcat.c
+++ b/lib/libc/nls/msgcat.c
@ -144,6 +144,8 @@ catopen( name, type)
 				++nlspath;
 				/* fallthrough */
 			    default:
+				if (pathP - path >= sizeof(path) - 1)
+					goto too_long;
 				*(pathP++) = *nlspath;
 				continue;
 			}
@ -151,13 +153,17 @@ catopen( name, type)
 		put_tmpptr:
 	        	spcleft = sizeof(path) - (pathP - path) - 1;
 		    	if (strlcpy(pathP, tmpptr, spcleft) >= spcleft) {
+		too_long:
 				free(plang);
 				free(base);
 				NLRETERR(ENAMETOOLONG);
 			}
 		    	pathP += strlen(tmpptr);
-	    	  } else
+		  } else {
+			if (pathP - path >= sizeof(path) - 1)
+				goto too_long;
 			*(pathP++) = *nlspath;
+		  }
 		}
 		*pathP = '\0';
 		if (stat(path, &sbuf) == 0) {