* lib/buildcmd.c (bc_push_arg): Take prefix length into account to avoid state->argbuf overflow. * NEWS: Mention this fix. ---
It would be a security issue if one could control factors triggering this bug, which include a directory with thousands of files. ChangeLog | 7 +++++++ NEWS | 2 ++ lib/buildcmd.c | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e6914ff..7b4f3e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2013-05-15 Dmitry V. Levin <[email protected]> + + find: fix potential buffer overflow in -execdir and -okdir. + * lib/buildcmd.c (bc_push_arg): Take prefix length into account + to avoid state->argbuf overflow. + * NEWS: Mention this fix. + 2013-04-22 Paul Eggert <[email protected]> More removal of support for -perm +MODE. diff --git a/NEWS b/NEWS index 4349a21..010ba6e 100644 --- a/NEWS +++ b/NEWS @@ -30,6 +30,8 @@ The documentation for xargs now warns about parallel processes (xargs Some bugs in 4.5.11 were fixed without adding them to the bug database, though they are in the ChangeLog: +*** find -execdir/-okdir potential buffer overflow. + *** Use of [[ ... ]] in find/testsuite/sv-bug-32043.sh *** Don't delete header files in "lib/" for "make clean". diff --git a/lib/buildcmd.c b/lib/buildcmd.c index d135692..2616ed6 100644 --- a/lib/buildcmd.c +++ b/lib/buildcmd.c @@ -364,7 +364,7 @@ bc_push_arg (struct buildcmd_control *ctl, if (!terminate) { - if (state->cmd_argv_chars + len > ctl->arg_max) + if (state->cmd_argv_chars + len + pfxlen > ctl->arg_max) { if (initial_args || state->cmd_argc == ctl->initial_argc) error (EXIT_FAILURE, 0, -- ldv
