this also squashes in upstream d6a403f953fe80f40761023af9a8b7824752bb32 https://bugs.gentoo.org/411905 From ac4c54f0cce8bb20c100a4c1041f3aa3e7d6cd0a Mon Sep 17 00:00:00 2001 From: Roland McGrath Date: Sun, 25 Mar 2012 11:36:35 -0700 Subject: [PATCH] Fix confstr use of local buffer outside its extent. --- ChangeLog | 5 ++ posix/confstr.c | 222 ++++++++++++++++++++++++++----------------------------- 2 files changed, 111 insertions(+), 116 deletions(-) 2012-03-25 Roland McGrath * posix/confstr.c (confstr): Lift RESTENVS definition to function scope. Reported by Allan McRae . diff --git a/posix/confstr.c b/posix/confstr.c index 3c9566d..ad8fea9 100644 --- a/posix/confstr.c +++ b/posix/confstr.c @@ -1,5 +1,4 @@ -/* Copyright (C) 1991,1996,1997,2000-2004,2009,2010 Free - Software Foundation, Inc. +/* Copyright (C) 1991-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -34,6 +33,10 @@ confstr (name, buf, len) { const char *string = ""; size_t string_len = 1; + + /* Note that this buffer must be large enough for the longest strings + used below. */ + char restenvs[4 * sizeof "POSIX_V7_LPBIG_OFFBIG"]; switch (name) { @@ -53,59 +55,55 @@ confstr (name, buf, len) wint_t types are no greater than the width of type long. Currently this means all environment which the system allows. */ - { - char restenvs[4 * sizeof "POSIX_V7_LPBIG_OFFBIG"]; - - string_len = 0; + string_len = 0; #ifndef _POSIX_V7_ILP32_OFF32 - if (__sysconf (_SC_V7_ILP32_OFF32) > 0) + if (__sysconf (_SC_V7_ILP32_OFF32) > 0) #endif #if !defined _POSIX_V7_ILP32_OFF32 || _POSIX_V7_ILP32_OFF32 > 0 - { - memcpy (restenvs + string_len, "POSIX_V7_ILP32_OFF32", - sizeof "POSIX_V7_ILP32_OFF32" - 1); - string_len += sizeof "POSIX_V7_ILP32_OFF32" - 1; - } + { + memcpy (restenvs + string_len, "POSIX_V7_ILP32_OFF32", + sizeof "POSIX_V7_ILP32_OFF32" - 1); + string_len += sizeof "POSIX_V7_ILP32_OFF32" - 1; + } #endif #ifndef _POSIX_V7_ILP32_OFFBIG - if (__sysconf (_SC_V7_ILP32_OFFBIG) > 0) + if (__sysconf (_SC_V7_ILP32_OFFBIG) > 0) #endif #if !defined _POSIX_V7_ILP32_OFFBIG || _POSIX_V7_ILP32_OFFBIG > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "POSIX_V7_ILP32_OFFBIG", - sizeof "POSIX_V7_ILP32_OFFBIG" - 1); - string_len += sizeof "POSIX_V7_ILP32_OFFBIG" - 1; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "POSIX_V7_ILP32_OFFBIG", + sizeof "POSIX_V7_ILP32_OFFBIG" - 1); + string_len += sizeof "POSIX_V7_ILP32_OFFBIG" - 1; + } #endif #ifndef _POSIX_V7_LP64_OFF64 - if (__sysconf (_SC_V7_LP64_OFF64) > 0) + if (__sysconf (_SC_V7_LP64_OFF64) > 0) #endif #if !defined _POSIX_V7_LP64_OFF64 || _POSIX_V7_LP64_OFF64 > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "POSIX_V7_LP64_OFF64", - sizeof "POSIX_V7_LP64_OFF64" - 1); - string_len += sizeof "POSIX_V7_LP64_OFF64" - 1; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "POSIX_V7_LP64_OFF64", + sizeof "POSIX_V7_LP64_OFF64" - 1); + string_len += sizeof "POSIX_V7_LP64_OFF64" - 1; + } #endif #ifndef _POSIX_V7_LPBIG_OFFBIG - if (__sysconf (_SC_V7_LPBIG_OFFBIG) > 0) + if (__sysconf (_SC_V7_LPBIG_OFFBIG) > 0) #endif #if !defined _POSIX_V7_LPBIG_OFFBIG || _POSIX_V7_LPBIG_OFFBIG > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "POSIX_V7_LPBIG_OFFBIG", - sizeof "POSIX_V7_LPBIG_OFFBIG" - 1); - string_len += sizeof "POSIX_V7_LPBIG_OFFBIG" - 1; - } -#endif - restenvs[string_len++] = '\0'; - string = restenvs; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "POSIX_V7_LPBIG_OFFBIG", + sizeof "POSIX_V7_LPBIG_OFFBIG" - 1); + string_len += sizeof "POSIX_V7_LPBIG_OFFBIG" - 1; + } +#endif + restenvs[string_len++] = '\0'; + string = restenvs; break; case _CS_V6_WIDTH_RESTRICTED_ENVS: @@ -116,59 +114,55 @@ confstr (name, buf, len) wint_t types are no greater than the width of type long. Currently this means all environment which the system allows. */ - { - char restenvs[4 * sizeof "POSIX_V6_LPBIG_OFFBIG"]; - - string_len = 0; + string_len = 0; #ifndef _POSIX_V6_ILP32_OFF32 - if (__sysconf (_SC_V6_ILP32_OFF32) > 0) + if (__sysconf (_SC_V6_ILP32_OFF32) > 0) #endif #if !defined _POSIX_V6_ILP32_OFF32 || _POSIX_V6_ILP32_OFF32 > 0 - { - memcpy (restenvs + string_len, "POSIX_V6_ILP32_OFF32", - sizeof "POSIX_V6_ILP32_OFF32" - 1); - string_len += sizeof "POSIX_V6_ILP32_OFF32" - 1; - } + { + memcpy (restenvs + string_len, "POSIX_V6_ILP32_OFF32", + sizeof "POSIX_V6_ILP32_OFF32" - 1); + string_len += sizeof "POSIX_V6_ILP32_OFF32" - 1; + } #endif #ifndef _POSIX_V6_ILP32_OFFBIG - if (__sysconf (_SC_V6_ILP32_OFFBIG) > 0) + if (__sysconf (_SC_V6_ILP32_OFFBIG) > 0) #endif #if !defined _POSIX_V6_ILP32_OFFBIG || _POSIX_V6_ILP32_OFFBIG > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "POSIX_V6_ILP32_OFFBIG", - sizeof "POSIX_V6_ILP32_OFFBIG" - 1); - string_len += sizeof "POSIX_V6_ILP32_OFFBIG" - 1; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "POSIX_V6_ILP32_OFFBIG", + sizeof "POSIX_V6_ILP32_OFFBIG" - 1); + string_len += sizeof "POSIX_V6_ILP32_OFFBIG" - 1; + } #endif #ifndef _POSIX_V6_LP64_OFF64 - if (__sysconf (_SC_V6_LP64_OFF64) > 0) + if (__sysconf (_SC_V6_LP64_OFF64) > 0) #endif #if !defined _POSIX_V6_LP64_OFF64 || _POSIX_V6_LP64_OFF64 > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "POSIX_V6_LP64_OFF64", - sizeof "POSIX_V6_LP64_OFF64" - 1); - string_len += sizeof "POSIX_V6_LP64_OFF64" - 1; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "POSIX_V6_LP64_OFF64", + sizeof "POSIX_V6_LP64_OFF64" - 1); + string_len += sizeof "POSIX_V6_LP64_OFF64" - 1; + } #endif #ifndef _POSIX_V6_LPBIG_OFFBIG - if (__sysconf (_SC_V6_LPBIG_OFFBIG) > 0) + if (__sysconf (_SC_V6_LPBIG_OFFBIG) > 0) #endif #if !defined _POSIX_V6_LPBIG_OFFBIG || _POSIX_V6_LPBIG_OFFBIG > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "POSIX_V6_LPBIG_OFFBIG", - sizeof "POSIX_V6_LPBIG_OFFBIG" - 1); - string_len += sizeof "POSIX_V6_LPBIG_OFFBIG" - 1; - } -#endif - restenvs[string_len++] = '\0'; - string = restenvs; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "POSIX_V6_LPBIG_OFFBIG", + sizeof "POSIX_V6_LPBIG_OFFBIG" - 1); + string_len += sizeof "POSIX_V6_LPBIG_OFFBIG" - 1; + } +#endif + restenvs[string_len++] = '\0'; + string = restenvs; break; case _CS_V5_WIDTH_RESTRICTED_ENVS: @@ -179,59 +173,55 @@ confstr (name, buf, len) wint_t types are no greater than the width of type long. Currently this means all environment which the system allows. */ - { - char restenvs[4 * sizeof "XBS5_LPBIG_OFFBIG"]; - - string_len = 0; + string_len = 0; #ifndef _XBS5_ILP32_OFF32 - if (__sysconf (_SC_XBS5_ILP32_OFF32) > 0) + if (__sysconf (_SC_XBS5_ILP32_OFF32) > 0) #endif #if !defined _XBS5_ILP32_OFF32 || _XBS5_ILP32_OFF32 > 0 - { - memcpy (restenvs + string_len, "XBS5_ILP32_OFF32", - sizeof "XBS5_ILP32_OFF32" - 1); - string_len += sizeof "XBS5_ILP32_OFF32" - 1; - } + { + memcpy (restenvs + string_len, "XBS5_ILP32_OFF32", + sizeof "XBS5_ILP32_OFF32" - 1); + string_len += sizeof "XBS5_ILP32_OFF32" - 1; + } #endif #ifndef _XBS5_ILP32_OFFBIG - if (__sysconf (_SC_XBS5_ILP32_OFFBIG) > 0) + if (__sysconf (_SC_XBS5_ILP32_OFFBIG) > 0) #endif #if !defined _XBS5_ILP32_OFFBIG || _XBS5_ILP32_OFFBIG > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "XBS5_ILP32_OFFBIG", - sizeof "XBS5_ILP32_OFFBIG" - 1); - string_len += sizeof "XBS5_ILP32_OFFBIG" - 1; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "XBS5_ILP32_OFFBIG", + sizeof "XBS5_ILP32_OFFBIG" - 1); + string_len += sizeof "XBS5_ILP32_OFFBIG" - 1; + } #endif #ifndef _XBS5_LP64_OFF64 - if (__sysconf (_SC_XBS5_LP64_OFF64) > 0) + if (__sysconf (_SC_XBS5_LP64_OFF64) > 0) #endif #if !defined _XBS5_LP64_OFF64 || _XBS5_LP64_OFF64 > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "XBS5_LP64_OFF64", - sizeof "XBS5_LP64_OFF64" - 1); - string_len += sizeof "XBS5_LP64_OFF64" - 1; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "XBS5_LP64_OFF64", + sizeof "XBS5_LP64_OFF64" - 1); + string_len += sizeof "XBS5_LP64_OFF64" - 1; + } #endif #ifndef _XBS5_LPBIG_OFFBIG - if (__sysconf (_SC_XBS5_LPBIG_OFFBIG) > 0) + if (__sysconf (_SC_XBS5_LPBIG_OFFBIG) > 0) #endif #if !defined _XBS5_LPBIG_OFFBIG || _XBS5_LPBIG_OFFBIG > 0 - { - if (string_len) - restenvs[string_len++] = '\n'; - memcpy (restenvs + string_len, "XBS5_LPBIG_OFFBIG", - sizeof "XBS5_LPBIG_OFFBIG" - 1); - string_len += sizeof "XBS5_LPBIG_OFFBIG" - 1; - } -#endif - restenvs[string_len++] = '\0'; - string = restenvs; - } + { + if (string_len) + restenvs[string_len++] = '\n'; + memcpy (restenvs + string_len, "XBS5_LPBIG_OFFBIG", + sizeof "XBS5_LPBIG_OFFBIG" - 1); + string_len += sizeof "XBS5_LPBIG_OFFBIG" - 1; + } +#endif + restenvs[string_len++] = '\0'; + string = restenvs; break; case _CS_XBS5_ILP32_OFF32_CFLAGS: -- 1.7.9.7