[PATCH] Prevent buffer overflows when path is too long

[Antoine Pelisse]

Some buffers created with PATH_MAX length are not checked when being
written, and can overflow if PATH_MAX is not big enough to hold the
path.

Some of the use-case are probably impossible to reach, and the program
dies if the path looks too long. When it would be possible for the user
to use a longer path, simply use strbuf to build it.

Reported-by: Wataru Noguchi <wnoguchi.0...@gmail.com>
Signed-off-by: Antoine Pelisse <apeli...@gmail.com>
---
 abspath.c        | 10 ++++++++--
 diffcore-order.c | 14 +++++++++-----
 unpack-trees.c   |  2 ++
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/abspath.c b/abspath.c
index e390994..29a5f9d 100644
--- a/abspath.c
+++ b/abspath.c
@@ -216,11 +216,16 @@ const char *absolute_path(const char *path)
 const char *prefix_filename(const char *pfx, int pfx_len, const char *arg)
 {
        static char path[PATH_MAX];
+
+       if (pfx_len >= PATH_MAX)
+               die("Too long prefix path: %s", pfx);
+
 #ifndef GIT_WINDOWS_NATIVE
        if (!pfx_len || is_absolute_path(arg))
                return arg;
        memcpy(path, pfx, pfx_len);
-       strcpy(path + pfx_len, arg);
+       if (strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len) > PATH_MAX)
+               die("Too long path: %s", path);
 #else
        char *p;
        /* don't add prefix to absolute paths, but still replace '\' by '/' */
@@ -228,7 +233,8 @@ const char *prefix_filename(const char *pfx, int pfx_len, 
const char *arg)
                pfx_len = 0;
        else if (pfx_len)
                memcpy(path, pfx, pfx_len);
-       strcpy(path + pfx_len, arg);
+       if (strlcpy(path + pfx_len, arg, PATH_MAX - pfx_len) > PATH_MAX)
+               die("Too long path: %s", path);
        for (p = path + pfx_len; *p; p++)
                if (*p == '\\')
                        *p = '/';
diff --git a/diffcore-order.c b/diffcore-order.c
index 23e9385..87193f8 100644
--- a/diffcore-order.c
+++ b/diffcore-order.c
@@ -73,20 +73,24 @@ struct pair_order {
 static int match_order(const char *path)
 {
        int i;
-       char p[PATH_MAX];
+       struct strbuf p = STRBUF_INIT;
 
        for (i = 0; i < order_cnt; i++) {
-               strcpy(p, path);
-               while (p[0]) {
+               strbuf_reset(&p);
+               strbuf_addstr(&p, path);
+               while (p.buf[0]) {
                        char *cp;
-                       if (!fnmatch(order[i], p, 0))
+                       if (!fnmatch(order[i], p.buf, 0)) {
+                               strbuf_release(&p);
                                return i;
-                       cp = strrchr(p, '/');
+                       }
+                       cp = strrchr(p.buf, '/');
                        if (!cp)
                                break;
                        *cp = 0;
                }
        }
+       strbuf_release(&p);
        return order_cnt;
 }
 
diff --git a/unpack-trees.c b/unpack-trees.c
index 35cb05e..f93565b 100644
--- a/unpack-trees.c
+++ b/unpack-trees.c
@@ -918,6 +918,8 @@ static int clear_ce_flags_1(struct cache_entry **cache, int 
nr,
                        int processed;
 
                        len = slash - name;
+                       if (len + prefix_len >= PATH_MAX)
+                               die("Too long path: %s", prefix);
                        memcpy(prefix + prefix_len, name, len);
 
                        /*
-- 
1.8.5.rc3.1.ga0b6b91

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html