From 04f8f69cb711ae5ec609eda786b64bb0726fd5b4 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Wed, 19 Jun 2013 15:54:20 +0000 Subject: [PATCH] * libc/posix/readdir_r.c: Fix potential read past dirp->dd_buf. --- newlib/ChangeLog | 6 +++++- newlib/libc/posix/readdir_r.c | 8 +++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/newlib/ChangeLog b/newlib/ChangeLog index 93c133426..0a819332a 100644 --- a/newlib/ChangeLog +++ b/newlib/ChangeLog @@ -1,4 +1,8 @@ -2013-06-13 Bin Cheng +2013-06-19 Terraneo Federico + + * libc/posix/readdir_r.c: Fix potential read past dirp->dd_buf. + +2013-06-13 Bir Cheng * README: Add description for NEWLIB's feature customizing configuration options. diff --git a/newlib/libc/posix/readdir_r.c b/newlib/libc/posix/readdir_r.c index b9a0b9024..eafbeca6a 100644 --- a/newlib/libc/posix/readdir_r.c +++ b/newlib/libc/posix/readdir_r.c @@ -42,6 +42,7 @@ static char sccsid[] = "@(#)readdir.c 5.7 (Berkeley) 6/1/90"; #include #include #include +#include extern int getdents (int fd, void *dp, int count); @@ -84,16 +85,17 @@ struct dirent *tmpdp; continue; } tmpdp = (struct dirent *)(dirp->dd_buf + dirp->dd_loc); - memcpy (dp, tmpdp, sizeof(struct dirent)); - if (dp->d_reclen <= 0 || - dp->d_reclen > dirp->dd_len + 1 - dirp->dd_loc) { + if (tmpdp->d_reclen <= 0 || + tmpdp->d_reclen > dirp->dd_len + 1 - dirp->dd_loc) { #ifdef HAVE_DD_LOCK __lock_release_recursive(dirp->dd_lock); #endif *dpp = NULL; return -1; } + memcpy (dp, tmpdp, MIN (tmpdp->d_reclen, sizeof (struct dirent))); + dirp->dd_loc += dp->d_reclen; if (dp->d_ino == 0) continue;