make globfree safe after failed glob from over-length argument

commit 0dc99ac4 added input length checking to avoid unsafe VLA allocation, but put it in the wrong place, before the glob_t structure was zeroed out. while POSIX isn't clear on whether it's permitted to call globfree after glob failed with GLOB_NOSPACE, making it safe is clearly better than letting uninitialized pointers get passed to free in non-conforming callers. while we're fixing this, change strlen check to the idiomatic strnlen version to avoid unbounded input scanning before returning an error.

make globfree safe after failed glob from over-length argument
commit 0dc99ac4 added input length checking to avoid unsafe VLA allocation, but put it in the wrong place, before the glob_t structure was zeroed out. while POSIX isn't clear on whether it's permitted to call globfree after glob failed with GLOB_NOSPACE, making it safe is clearly better than letting uninitialized pointers get passed to free in non-conforming callers. while we're fixing this, change strlen check to the idiomatic strnlen version to avoid unbounded input scanning before returning an error.
769f5359 · Rich Felker · 61fb81e3 · 769f5359
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/regex/glob.c src/regex/glob.c +2 -2

未找到文件。
--- a/src/regex/glob.c
+++ b/src/regex/glob.c
@@ -169,8 +169,6 @@ int glob(const char *restrict pat, int flags, int (*errfunc)(const char *path, i
 		d = "";
 	}

-	if (strlen(p) > PATH_MAX) return GLOB_NOSPACE;
-
 	if (!errfunc) errfunc = ignore_err;

 	if (!(flags & GLOB_APPEND)) {
@@ -179,6 +177,8 @@ int glob(const char *restrict pat, int flags, int (*errfunc)(const char *path, i
 		g->gl_pathv = NULL;
 	}

+	if (strnlen(p, PATH_MAX+1) > PATH_MAX) return GLOB_NOSPACE;
+
 	if (*p) error = match_in_dir(d, p, flags, errfunc, &tail);
 	if (error == GLOB_NOSPACE) {
 		freelist(&head);