[Libreoffice-bugs] [Bug 118514] overflow at realpath()

Sun Jul 8 09:23:52 UTC 2018

https://bugs.documentfoundation.org/show_bug.cgi?id=118514

--- Comment #4 from Dhiraj <mishra.dhiraj95 at gmail.com> ---
(In reply to Stephan Bergmann from comment #3)
> (In reply to Dhiraj from comment #0)
> > File:
> > https://github.com/LibreOffice/core/blob/master/desktop/unx/source/start.
> > c#L191
> 
> i.e.,
> 
>     dummy = realpath(pPath, pRealPath);
> 
> > This function does not protect against buffer overflows, and some
> > implementations can overflow internally. 
> > 
> > Ensure that the destination buffer is at least of size MAXPATHLEN, andto
> > protect against implementation problems, the input argument should also be
> > checked to ensure it is no larger than MAXPATHLEN.
> 
> What is MAXPATHLEN?  What platform are you talking about?  At least SUSv4
> doesn't have any such requirements on realpath(3), nor does it mention
> MAXPATHLEN.
> 
> > According to the documentation of realpath() the output buffer needs to be
> > at least of size PATH_MAX specifying output buffers large enough to handle
> > the maximum-size possible result from path manipulation functions.
> 
> ...and pRealPath is of sufficient size, see
> 
>     char pRealPath[PATH_MAX];
> 
> a few lines further up.  Or what am I missing?

In FreeBSD libc

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/libreoffice-bugs/attachments/20180708/5973a744/attachment.html>