Fix BZ 22786: integer addition overflow may cause stack buffer overflow

when realpath() input length is close to SSIZE_MAX. 2018-05-09 Paul Pluzhnikov <ppluzhnikov@google.com> [BZ #22786] * stdlib/canonicalize.c (__realpath): Fix overflow in path length computation. * stdlib/Makefile (test-bz22786): New test. * stdlib/test-bz22786.c: New test.
2025-07-29 11:41:21 +03:00 · 2018-05-08 18:12:41 -07:00
parent aaee3cd88e
commit 5460617d15
4 changed files with 100 additions and 2 deletions
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@ -181,7 +181,7 @@ __realpath (const char *name, char *resolved)
 		extra_buf = __alloca (path_max);

 	      len = strlen (end);
-	      if ((long int) (n + len) >= path_max)
+	      if (path_max - n <= len)
 		{
 		  __set_errno (ENAMETOOLONG);
 		  goto error;