From 77da9a00871cbdbb624f9560f7fcd40fbeda046f Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Thu, 5 Feb 2009 00:13:40 +0000 Subject: [PATCH] Added an explicit buffer limit check in msdosify() (patch based on FreeBSD). This couldn't ever overflow in curl, but might if the code were used elsewhere or under different conditions. --- CHANGES | 4 ++++ src/main.c | 8 +++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index 5f2385180..bcf0229ee 100644 --- a/CHANGES +++ b/CHANGES @@ -10,6 +10,10 @@ Daniel Fandrich (4 Feb 2009) - Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS (respectively) when --with-ssl=/usr is used (patch based on FreeBSD). +- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD). + This couldn't ever overflow in curl, but might if the code were used + elsewhere or under different conditions. + Daniel Stenberg (3 Feb 2009) - Hidemoto Nakada provided a small fix that makes it possible to get the CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with diff --git a/src/main.c b/src/main.c index db2a1307b..16abdfb7b 100644 --- a/src/main.c +++ b/src/main.c @@ -5350,12 +5350,14 @@ static char *basename(char *path) static const char * msdosify (const char *file_name) { - static char dos_name[PATH_MAX*2]; - static const char illegal_chars_dos[] = ".+, ;=[]|<>\\\":?*"; + static char dos_name[PATH_MAX]; + static const char illegal_chars_dos[] = ".+, ;=[]" /* illegal in DOS */ + "|<>\\\":?*"; /* illegal in DOS & W95 */ static const char *illegal_chars_w95 = &illegal_chars_dos[8]; int idx, dot_idx; const char *s = file_name; char *d = dos_name; + const char * const dlimit = dos_name + sizeof(dos_name) - 1; const char *illegal_aliens = illegal_chars_dos; size_t len = sizeof (illegal_chars_dos) - 1; int lfn = 0; @@ -5376,7 +5378,7 @@ msdosify (const char *file_name) *d++ = *s++; } - for (idx = 0, dot_idx = -1; *s; s++, d++) { + for (idx = 0, dot_idx = -1; *s && d < dlimit; s++, d++) { if (memchr (illegal_aliens, *s, len)) { /* Dots are special: DOS doesn't allow them as the leading character, and a file name cannot have more than a single dot. We leave the