Skip to content

Commit

Permalink
truename: fix array overrun [fixes #212]
Browse files Browse the repository at this point in the history 
src[-2] was peeking into a random memory location.
It seems entire truename() is written by some morons... :(
Its completely unreadable and full of bugs.
  • Loading branch information
@stsp
stsp committed Feb 1, 2023
1 parent d12b5f5 commit fe1c4dc
Showing 1 changed file with 13 additions and 9 deletions.
22 changes: 13 additions & 9 deletions kernel/newstuff.c
View file
Expand Up @@ -186,7 +186,10 @@ long DosMkTmp(char FAR * pathname, UWORD attr)
*/

#define PATH_ERROR goto errRet
#define PATH_ERROR() \
fstrchr(src, '/') == 0 && fstrchr(src, '\\') == 0 \
? DE_FILENOTFND \
: DE_PATHNOTFND
#define PATHLEN 128


Expand Down Expand Up @@ -244,7 +247,7 @@ STATIC const char _DirChars[] = "\"[]:|<>+=;,";

#define addChar(c) \
{ \
if (p >= dest + REMOTE_PATH_MAX) PATH_ERROR; /* path too long */ \
if (p >= dest + REMOTE_PATH_MAX) return PATH_ERROR(); /* path too long */ \
*p++ = c; \
}

Expand Down Expand Up @@ -479,14 +482,18 @@ COUNT truename(__XFAR(const char) src, char FAR *dest, COUNT mode)

if(*src == '.')
{
int dots = 1;
/* special directory component */
++src;
if (*src == '.') /* skip the second dot */
{
++src;
dots++;
}
if (*src == '/' || *src == '\\' || *src == '\0')
{
--p; /* backup the backslash */
if (src[-2] == '.')
if (dots == 2)
{
/* ".." entry */
/* remove last path component */
Expand All @@ -498,12 +505,9 @@ COUNT truename(__XFAR(const char) src, char FAR *dest, COUNT mode)
}

/* ill-formed .* or ..* entries => return error */
errRet:
/* The error is either PATHNOTFND or FILENOTFND
depending on if it is not the last component */
return fstrchr(src, '/') == 0 && fstrchr(src, '\\') == 0
? DE_FILENOTFND
: DE_PATHNOTFND;
return PATH_ERROR();
}

/* normal component */
Expand Down Expand Up @@ -536,7 +540,7 @@ COUNT truename(__XFAR(const char) src, char FAR *dest, COUNT mode)
if (c == '.')
{
if (state & PNE_DOT) /* multiple dots are ill-formed */
PATH_ERROR;
return PATH_ERROR();
/* strip trailing dot */
if (*src == '/' || *src == '\\' || *src == '\0')
break;
Expand All @@ -548,7 +552,7 @@ COUNT truename(__XFAR(const char) src, char FAR *dest, COUNT mode)
state |= PNE_WILDCARD;
if (i) { /* name length in limits */
--i;
if (!DirChar(c)) PATH_ERROR;
if (!DirChar(c)) return PATH_ERROR();
addChar(c);
}
}
Expand Down

0 comments on commit fe1c4dc

Please sign in to comment.