VirtualBox

Changeset 2837 in kBuild for trunk


Ignore:
Timestamp:
Aug 24, 2016 12:11:24 PM (8 years ago)
Author:
bird
Message:

kbuild_apply_defpath: Fixed heap corruption when DEFPATH isn't absolute.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/kmk/kbuild.c

    r2815 r2837  
    383383    const char *pszInCur;
    384384    unsigned int cchInCur;
     385    unsigned int cchMaxRelative = 0;
    385386    unsigned int cRelativePaths;
    386387
     
    390391    cRelativePaths = 0;
    391392    pszIterator = *ppsz;
    392     while ((pszInCur = find_next_token(&pszIterator, &cchInCur)))
     393    while ((pszInCur = find_next_token(&pszIterator, &cchInCur)) != NULL)
    393394    {
    394395        /* is relative? */
     
    398399        if (pszInCur[0] != '/')
    399400#endif
     401        {
    400402            cRelativePaths++;
     403            if (cchInCur > cchMaxRelative)
     404                cchMaxRelative = cchInCur;
     405        }
    401406    }
    402407
     
    406411    if (cRelativePaths)
    407412    {
    408         const size_t cchOut = *pcch + cRelativePaths * (pDefPath->value_length + 1) + 1;
    409         char *pszOut = xmalloc(cchOut);
    410         char *pszOutCur = pszOut;
     413        size_t const cchAbsPathBuf = MAX(GET_PATH_MAX, pDefPath->value_length + cchInCur + 1 + 16);
     414        char *pszAbsPathOut = (char *)alloca(cchAbsPathBuf);
     415        char *pszAbsPathIn  = (char *)alloca(cchAbsPathBuf);
     416        size_t cchAbsDefPath;
     417        size_t cchOut;
     418        char *pszOut;
     419        char *pszOutCur;
    411420        const char *pszInNextCopy = *ppsz;
     421
     422        /* make defpath absolute and have a trailing slash first. */
     423        if (abspath(pDefPath->value, pszAbsPathIn) == NULL)
     424            memcpy(pszAbsPathIn, pDefPath->value, pDefPath->value_length);
     425        cchAbsDefPath = strlen(pszAbsPathIn);
     426#ifdef HAVE_DOS_PATHS
     427        if (pszAbsPathIn[cchAbsDefPath - 1] != '/' && pszAbsPathIn[cchAbsDefPath - 1] != '\\')
     428#else
     429        if (pszAbsPathIn[cchAbsDefPath - 1] != '/')
     430#endif
     431            pszAbsPathIn[cchAbsDefPath++] = '/';
     432
     433        cchOut = *pcch + cRelativePaths * cchAbsDefPath + 1;
     434        pszOutCur = pszOut = xmalloc(cchOut);
    412435
    413436        cRelativePaths = 0;
     
    422445#endif
    423446            {
    424                 PATH_VAR(szAbsPathIn);
    425                 PATH_VAR(szAbsPathOut);
    426 
    427                 if (pDefPath->value_length + cchInCur + 1 >= GET_PATH_MAX)
    428                     continue;
     447                const char *pszToCopy;
     448                size_t      cchToCopy;
    429449
    430450                /* Create the abspath input. */
    431                 memcpy(szAbsPathIn, pDefPath->value, pDefPath->value_length);
    432                 szAbsPathIn[pDefPath->value_length] = '/';
    433                 memcpy(&szAbsPathIn[pDefPath->value_length + 1], pszInCur, cchInCur);
    434                 szAbsPathIn[pDefPath->value_length + 1 + cchInCur] = '\0';
    435 
    436                 if (abspath(szAbsPathIn, szAbsPathOut) != NULL)
     451                memcpy(&pszAbsPathIn[cchAbsDefPath], pszInCur, cchInCur);
     452                pszAbsPathIn[cchAbsDefPath + cchInCur] = '\0';
     453
     454                pszToCopy = abspath(pszAbsPathIn, pszAbsPathOut);
     455                if (!pszToCopy)
     456                    pszToCopy = pszAbsPathIn;
     457
     458                /* copy leading input */
     459                if (pszInCur != pszInNextCopy)
    437460                {
    438                     const size_t cchAbsPathOut = strlen(szAbsPathOut);
    439                     assert(cchAbsPathOut <= pDefPath->value_length + 1 + cchInCur);
    440 
    441                     /* copy leading input */
    442                     if (pszInCur != pszInNextCopy)
    443                     {
    444                         const size_t cchCopy = pszInCur - pszInNextCopy;
    445                         memcpy(pszOutCur, pszInNextCopy, cchCopy);
    446                         pszOutCur += cchCopy;
    447                     }
    448                     pszInNextCopy = pszInCur + cchInCur;
    449 
    450                     /* copy out the abspath. */
    451                     memcpy(pszOutCur, szAbsPathOut, cchAbsPathOut);
    452                     pszOutCur += cchAbsPathOut;
     461                    const size_t cchCopy = pszInCur - pszInNextCopy;
     462                    memcpy(pszOutCur, pszInNextCopy, cchCopy);
     463                    pszOutCur += cchCopy;
    453464                }
     465                pszInNextCopy = pszInCur + cchInCur;
     466
     467                /* copy out the abspath. */
     468                cchToCopy = strlen(pszToCopy);
     469                assert(cchToCopy <= cchAbsDefPath + cchInCur);
     470                memcpy(pszOutCur, pszToCopy, cchToCopy);
     471                pszOutCur += cchToCopy;
    454472            }
    455         }
     473            /* else: Copy absolute paths as bulk when we hit then next relative one or the end. */
     474        }
     475
    456476        /* the final copy (includes the nil). */
    457477        cchInCur = *ppsz + *pcch - pszInNextCopy;
     
    20252045    if (pDefPath && !pDefPath->value_length)
    20262046        pDefPath = NULL;
     2047
     2048
    20272049    pDefs      = kbuild_collect_source_prop(pTarget, pSource, pTool, &Sdks, pType, pBldType, pBldTrg, pBldTrgArch, pBldTrgCpu, NULL,
    20282050                                            ST("DEFS"),  ST("defs"), 1/* left-to-right */);
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette