Re: Minor patch to correct buffer overrun

[Eli Zaretskii]

> Date: Wed, 18 Aug 2010 09:21:14 -0400
> From: Chris Sutcliffe <address@hidden>
> Cc: address@hidden, address@hidden
> 
> I spent more time looking at the code as opposed to trying to figure
> out GDB and I've fixed the issue.  The problem was the memcpy to clear
> the trailing slash for win32 in find_directory.  Here's an updated
> patch:
> 
> --- dir.c.orig  2010-08-18 09:12:02 -0400
> +++ dir.c       2010-08-18 09:12:23 -0400
> @@ -464,7 +464,7 @@
> 
>          /* Remove any trailing slashes.  Windows32 stat fails even on
>             valid directories if they end in a slash. */
> -        memcpy (tem, name, p - name + 1);
> +        strncpy(tem, name, MAXPATHLEN);
>          tstart = tem;
>          if (tstart[1] == ':')
>            tstart += 2;
> 
> instead of relying on 'p' to determine the amount of memory to copy, I
> went the safer route and use strncpy to copy the path being evaluated
> to tem and make sure that we don't exceed tem's memory allocation
> (which is defined as 'char tem[MAXPATHLEN]').

Can you explain what exactly was the problem with the original code?
The value of p was computed earlier as

      p = name + strlen (name);

So it is okay to use `p - name + 1' as the number of characters to
copy, right?

Can you add a printf line there to show the value of `p - name + 1'?

Thanks.