From: Darrick J. Wong <djwong@xxxxxxxxxx>
Fix a buffer overrun when converting a path list to a string.
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
libfrog/paths.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libfrog/paths.c b/libfrog/paths.c
index cc43b02c4..42e000295 100644
--- a/libfrog/paths.c
+++ b/libfrog/paths.c
@@ -694,13 +694,18 @@ path_list_to_string(
size_t buflen)
{
struct path_component *pos;
+ char *buf_end = buf + buflen;
ssize_t bytes = 0;
int ret;
list_for_each_entry(pos, &path->p_head, pc_list) {
+ if (buf >= buf_end)
+ return -1;
+
ret = snprintf(buf, buflen, "/%s", pos->pc_fname);
- if (ret != 1 + strlen(pos->pc_fname))
+ if (ret < 0 || ret >= buflen)
return -1;
+
bytes += ret;
buf += ret;
buflen -= ret;
