On 16/02/2026 05:06, Chris Down wrote:
file_name_prepend works by right-aligning path data in a growing buffer. When the buffer is too small, it then allocates a new buffer via xpalloc() and copies existing data to the end of the new buffer.Unfortunately, the memcpy destination is computed as buf + p->n_alloc - n_free, but xpalloc has already updated p->n_alloc to the new (larger) allocation size while n_free still reflects the old state. This places the data at too high an offset, writing past the end of the buffer. Update to properly calculate the destination offset. Fixes: 61ab25c3551e ("pwd: prefer xpalloc to xnrealloc") --- src/pwd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pwd.c b/src/pwd.c index 4f30d0765..486e8e670 100644 --- a/src/pwd.c +++ b/src/pwd.c @@ -112,7 +112,7 @@ file_name_prepend (struct file_name *p, char const *s, size_t s_len) copy it only once. */ idx_t n_used = p->n_alloc - n_free; char *buf = xpalloc (NULL, &p->n_alloc, 1 + s_len - n_free, -1, 1); - p->start = memcpy (buf + p->n_alloc - n_free, p->start, n_used); + p->start = memcpy (buf + p->n_alloc - n_used, p->start, n_used); free (p->buf); p->buf = buf; } base-commit: f529c331232e514e652b9990a88c27810f56113a
Hi Chris! I've pushed that now, thank you. I'll see if I can trigger it with a test and if it warrants a NEWS entry later. cheers, Padraig
