diff options
| author | Dan Fandrich <dan@coneharvesters.com> | 2009-02-05 00:13:40 +0000 |
|---|---|---|
| committer | Dan Fandrich <dan@coneharvesters.com> | 2009-02-05 00:13:40 +0000 |
| commit | 77da9a00871cbdbb624f9560f7fcd40fbeda046f (patch) | |
| tree | 11527d02c666c283d7c1ab8b8cdd5251fbd5a49c | |
| parent | 42d2353e741e386fb09bea29f4f0f2778db8a69d (diff) | |
Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
This couldn't ever overflow in curl, but might if the code were used
elsewhere or under different conditions.
| -rw-r--r-- | CHANGES | 4 | ||||
| -rw-r--r-- | src/main.c | 8 |
2 files changed, 9 insertions, 3 deletions
@@ -10,6 +10,10 @@ Daniel Fandrich (4 Feb 2009) - Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS (respectively) when --with-ssl=/usr is used (patch based on FreeBSD). +- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD). + This couldn't ever overflow in curl, but might if the code were used + elsewhere or under different conditions. + Daniel Stenberg (3 Feb 2009) - Hidemoto Nakada provided a small fix that makes it possible to get the CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with diff --git a/src/main.c b/src/main.c index db2a1307b..16abdfb7b 100644 --- a/src/main.c +++ b/src/main.c @@ -5350,12 +5350,14 @@ static char *basename(char *path) static const char * msdosify (const char *file_name) { - static char dos_name[PATH_MAX*2]; - static const char illegal_chars_dos[] = ".+, ;=[]|<>\\\":?*"; + static char dos_name[PATH_MAX]; + static const char illegal_chars_dos[] = ".+, ;=[]" /* illegal in DOS */ + "|<>\\\":?*"; /* illegal in DOS & W95 */ static const char *illegal_chars_w95 = &illegal_chars_dos[8]; int idx, dot_idx; const char *s = file_name; char *d = dos_name; + const char * const dlimit = dos_name + sizeof(dos_name) - 1; const char *illegal_aliens = illegal_chars_dos; size_t len = sizeof (illegal_chars_dos) - 1; int lfn = 0; @@ -5376,7 +5378,7 @@ msdosify (const char *file_name) *d++ = *s++; } - for (idx = 0, dot_idx = -1; *s; s++, d++) { + for (idx = 0, dot_idx = -1; *s && d < dlimit; s++, d++) { if (memchr (illegal_aliens, *s, len)) { /* Dots are special: DOS doesn't allow them as the leading character, and a file name cannot have more than a single dot. We leave the |