f686d7
From a787fc5c556cbbc7f3de308d25b7527f9da5a0da Mon Sep 17 00:00:00 2001
f686d7
From: "Barton E. Schaefer" <schaefer@zsh.org>
f686d7
Date: Sun, 19 Jan 2014 17:41:06 -0800
f686d7
Subject: [PATCH 1/3] 32294: prevent buffer overflow when scanning very long
f686d7
 directory paths for symbolic links
f686d7
f686d7
Upstream-commit: 3e06aeabd8a9e8384ebaa8b08996cd1f64737210
f686d7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
f686d7
---
f686d7
 Src/utils.c | 31 ++++++++++++++++++-------------
f686d7
 1 file changed, 18 insertions(+), 13 deletions(-)
f686d7
f686d7
diff --git a/Src/utils.c b/Src/utils.c
f686d7
index 20fa59d..a197ef8 100644
f686d7
--- a/Src/utils.c
f686d7
+++ b/Src/utils.c
f686d7
@@ -726,32 +726,36 @@ xsymlinks(char *s)
f686d7
     char **pp, **opp;
f686d7
     char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];
f686d7
     int t0, ret = 0;
f686d7
+    zulong xbuflen = strlen(xbuf);
f686d7
 
f686d7
     opp = pp = slashsplit(s);
f686d7
-    for (; *pp; pp++) {
f686d7
-	if (!strcmp(*pp, ".")) {
f686d7
-	    zsfree(*pp);
f686d7
+    for (; xbuflen < sizeof(xbuf) && *pp; pp++) {
f686d7
+	if (!strcmp(*pp, "."))
f686d7
 	    continue;
f686d7
-	}
f686d7
 	if (!strcmp(*pp, "..")) {
f686d7
 	    char *p;
f686d7
 
f686d7
-	    zsfree(*pp);
f686d7
 	    if (!strcmp(xbuf, "/"))
f686d7
 		continue;
f686d7
 	    if (!*xbuf)
f686d7
 		continue;
f686d7
-	    p = xbuf + strlen(xbuf);
f686d7
-	    while (*--p != '/');
f686d7
+	    p = xbuf + xbuflen;
f686d7
+	    while (*--p != '/')
f686d7
+		xbuflen--;
f686d7
 	    *p = '\0';
f686d7
 	    continue;
f686d7
 	}
f686d7
 	sprintf(xbuf2, "%s/%s", xbuf, *pp);
f686d7
 	t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);
f686d7
 	if (t0 == -1) {
f686d7
-	    strcat(xbuf, "/");
f686d7
-	    strcat(xbuf, *pp);
f686d7
-	    zsfree(*pp);
f686d7
+	    zulong pplen = strlen(*pp) + 1;
f686d7
+	    if ((xbuflen += pplen) < sizeof(xbuf)) {
f686d7
+		strcat(xbuf, "/");
f686d7
+		strcat(xbuf, *pp);
f686d7
+	    } else {
f686d7
+		*xbuf = 0;
f686d7
+		break;
f686d7
+	    }
f686d7
 	} else {
f686d7
 	    ret = 1;
f686d7
 	    metafy(xbuf3, t0, META_NOALLOC);
f686d7
@@ -760,10 +764,9 @@ xsymlinks(char *s)
f686d7
 		xsymlinks(xbuf3 + 1);
f686d7
 	    } else
f686d7
 		xsymlinks(xbuf3);
f686d7
-	    zsfree(*pp);
f686d7
 	}
f686d7
     }
f686d7
-    free(opp);
f686d7
+    freearray(opp);
f686d7
     return ret;
f686d7
 }
f686d7
 
f686d7
@@ -780,8 +783,10 @@ xsymlink(char *s)
f686d7
 	return NULL;
f686d7
     *xbuf = '\0';
f686d7
     xsymlinks(s + 1);
f686d7
-    if (!*xbuf)
f686d7
+    if (!*xbuf) {
f686d7
+	zwarn("path expansion failed, using root directory");
f686d7
 	return ztrdup("/");
f686d7
+    }
f686d7
     return ztrdup(xbuf);
f686d7
 }
f686d7
 
f686d7
-- 
f686d7
2.14.3
f686d7
f686d7
f686d7
From a2de3957b1e6f23c593c47df0a850a8272e7c06a Mon Sep 17 00:00:00 2001
f686d7
From: "Barton E. Schaefer" <schaefer@zsh.org>
f686d7
Date: Fri, 15 Aug 2014 10:19:54 -0700
f686d7
Subject: [PATCH 2/3] 33012: add an error return value (-1) to xsymlinks()
f686d7
f686d7
Upstream-commit: 47d91c5fba6bc90d79503b7c69c6146abb8825f5
f686d7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
f686d7
---
f686d7
 Src/utils.c | 15 ++++++++-------
f686d7
 1 file changed, 8 insertions(+), 7 deletions(-)
f686d7
f686d7
diff --git a/Src/utils.c b/Src/utils.c
f686d7
index a197ef8..d3e5812 100644
f686d7
--- a/Src/utils.c
f686d7
+++ b/Src/utils.c
f686d7
@@ -717,7 +717,6 @@ slashsplit(char *s)
f686d7
 }
f686d7
 
f686d7
 /* expands symlinks and .. or . expressions */
f686d7
-/* if flag = 0, only expand .. and . expressions */
f686d7
 
f686d7
 /**/
f686d7
 static int
f686d7
@@ -754,6 +753,7 @@ xsymlinks(char *s)
f686d7
 		strcat(xbuf, *pp);
f686d7
 	    } else {
f686d7
 		*xbuf = 0;
f686d7
+		ret = -1;
f686d7
 		break;
f686d7
 	    }
f686d7
 	} else {
f686d7
@@ -761,9 +761,11 @@ xsymlinks(char *s)
f686d7
 	    metafy(xbuf3, t0, META_NOALLOC);
f686d7
 	    if (*xbuf3 == '/') {
f686d7
 		strcpy(xbuf, "");
f686d7
-		xsymlinks(xbuf3 + 1);
f686d7
+		if (xsymlinks(xbuf3 + 1) < 0)
f686d7
+		    ret = -1;
f686d7
 	    } else
f686d7
-		xsymlinks(xbuf3);
f686d7
+		if (xsymlinks(xbuf3) < 0)
f686d7
+		    ret = -1;
f686d7
 	}
f686d7
     }
f686d7
     freearray(opp);
f686d7
@@ -782,11 +784,10 @@ xsymlink(char *s)
f686d7
     if (*s != '/')
f686d7
 	return NULL;
f686d7
     *xbuf = '\0';
f686d7
-    xsymlinks(s + 1);
f686d7
-    if (!*xbuf) {
f686d7
+    if (xsymlinks(s + 1) < 0)
f686d7
 	zwarn("path expansion failed, using root directory");
f686d7
+    if (!*xbuf)
f686d7
 	return ztrdup("/");
f686d7
-    }
f686d7
     return ztrdup(xbuf);
f686d7
 }
f686d7
 
f686d7
@@ -796,7 +797,7 @@ print_if_link(char *s)
f686d7
 {
f686d7
     if (*s == '/') {
f686d7
 	*xbuf = '\0';
f686d7
-	if (xsymlinks(s + 1))
f686d7
+	if (xsymlinks(s + 1) > 0)
f686d7
 	    printf(" -> "), zputs(*xbuf ? xbuf : "/", stdout);
f686d7
     }
f686d7
 }
f686d7
-- 
f686d7
2.20.1
f686d7
f686d7
f686d7
From c84057916eb96714c03fb0072ad0929152e48f0a Mon Sep 17 00:00:00 2001
f686d7
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
f686d7
Date: Thu, 13 Nov 2014 19:44:01 +0000
f686d7
Subject: [PATCH 3/3] Marc Finet: problems with working directory
f686d7
 rationalisation.
f686d7
f686d7
Ensure the length of the directory is kept up to date.
f686d7
f686d7
Abort following symlinks as soon as there's an error.
f686d7
f686d7
Upstream-commit: c01a178ece6740f719fef81ecdf9283b5c8b71d5
f686d7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
f686d7
---
f686d7
 Src/utils.c | 6 +++++-
f686d7
 1 file changed, 5 insertions(+), 1 deletion(-)
f686d7
f686d7
diff --git a/Src/utils.c b/Src/utils.c
f686d7
index d3e5812..e2ffc38 100644
f686d7
--- a/Src/utils.c
f686d7
+++ b/Src/utils.c
f686d7
@@ -728,7 +728,7 @@ xsymlinks(char *s)
f686d7
     zulong xbuflen = strlen(xbuf);
f686d7
 
f686d7
     opp = pp = slashsplit(s);
f686d7
-    for (; xbuflen < sizeof(xbuf) && *pp; pp++) {
f686d7
+    for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {
f686d7
 	if (!strcmp(*pp, "."))
f686d7
 	    continue;
f686d7
 	if (!strcmp(*pp, "..")) {
f686d7
@@ -763,9 +763,13 @@ xsymlinks(char *s)
f686d7
 		strcpy(xbuf, "");
f686d7
 		if (xsymlinks(xbuf3 + 1) < 0)
f686d7
 		    ret = -1;
f686d7
+		else
f686d7
+		    xbuflen = strlen(xbuf);
f686d7
 	    } else
f686d7
 		if (xsymlinks(xbuf3) < 0)
f686d7
 		    ret = -1;
f686d7
+		else
f686d7
+		    xbuflen = strlen(xbuf);
f686d7
 	}
f686d7
     }
f686d7
     freearray(opp);
f686d7
-- 
f686d7
2.20.1
f686d7