crash in realpath()

To: mutt-dev@xxxxxxxx
Subject: crash in realpath()
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Tue, 31 Mar 2009 14:51:41 +0200
List-post: <mailto:mutt-dev@mutt.org>
List-unsubscribe: send mail to majordomo@mutt.org, body only "unsubscribe mutt-dev"
Sender: owner-mutt-dev@xxxxxxxx
User-agent: Mutt/1.5.19 (2009-01-05)

Hi,

I got a bug report about mutt crashing in realpath():

https://bugzilla.redhat.com/show_bug.cgi?id=492861

It's caused by using buffer which is smaller than PATH_MAX bytes. When
compiled with FORTIFY_SOURCE, glibc will check the length in runtime
and abort even when the result fits in the smaller buffer.

This fixes the problem for me:

--- a/hcache.c  Sat Mar 28 22:37:22 2009 +0100
+++ b/hcache.c  Tue Mar 31 14:32:22 2009 +0200
@@ -836,7 +836,7 @@
    * to ensure equivalent paths share the hcache */
   if (stat (folder, &st) == 0)
   {
-    p = safe_malloc (_POSIX_PATH_MAX+1);
+    p = safe_malloc (PATH_MAX+1);
     if (!realpath (folder, p))
       mutt_str_replace (&p, folder);
   } else
diff -r be9fb07730c6 muttlib.c
--- a/muttlib.c Sat Mar 28 22:37:22 2009 +0100
+++ b/muttlib.c Tue Mar 31 14:32:22 2009 +0200
@@ -759,7 +759,7 @@
   char *p = s, *q = s;
   size_t len;
   url_scheme_t scheme;
-  char tmp[_POSIX_PATH_MAX];
+  char tmp[PATH_MAX];
 
   scheme = url_check_scheme (s);
 

-- 
Miroslav Lichvar

Follow-Ups:
- Re: crash in realpath()
  - From: Rocco Rutte

Prev by Date: [Mutt] #3210: Feature Request: IMAP keywords
Next by Date: Re: [Mutt] #3209: mutt does not display new message count (imap)
Previous by thread: Re: [Mutt] #3210: Feature Request: IMAP keywords
Next by thread: Re: crash in realpath()
Index(es):
- Date
- Thread