PlaneteCasio
/
libc
1
0
Fork 0
Code Issues 6 Pull Requests Releases Wiki Activity

* libc/posix/readdir_r.c: Fix potential read past dirp->dd_buf.

This commit is contained in:
Corinna Vinschen 2013-06-19 15:54:20 +00:00
parent c1d6d05470
commit 04f8f69cb7
2 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
newlib/ChangeLog
View File

@ -1,4 +1,8 @@
2013-06-13 Bin Cheng <bin.cheng@arm.com>
2013-06-19 Terraneo Federico <fede.tft@hotmail.it>
* libc/posix/readdir_r.c: Fix potential read past dirp->dd_buf.
2013-06-13 Bir Cheng <bin.cheng@arm.com>
* README: Add description for NEWLIB's feature customizing
configuration options.

8
newlib/libc/posix/readdir_r.c
View File

@ -42,6 +42,7 @@ static char sccsid[] = "@(#)readdir.c 5.7 (Berkeley) 6/1/90";
#include <dirent.h>
#include <errno.h>
#include <string.h>
#include <sys/param.h>
extern int getdents (int fd, void *dp, int count);
@ -84,16 +85,17 @@ struct dirent *tmpdp;
continue;
}
tmpdp = (struct dirent *)(dirp->dd_buf + dirp->dd_loc);
memcpy (dp, tmpdp, sizeof(struct dirent));
if (dp->d_reclen <= 0 ||
dp->d_reclen > dirp->dd_len + 1 - dirp->dd_loc) {
if (tmpdp->d_reclen <= 0 ||
tmpdp->d_reclen > dirp->dd_len + 1 - dirp->dd_loc) {
#ifdef HAVE_DD_LOCK
__lock_release_recursive(dirp->dd_lock);
#endif
*dpp = NULL;
return -1;
}
memcpy (dp, tmpdp, MIN (tmpdp->d_reclen, sizeof (struct dirent)));
dirp->dd_loc += dp->d_reclen;
if (dp->d_ino == 0)
continue;