diff options
| -rw-r--r-- | newlib/ChangeLog | 6 | ||||
| -rw-r--r-- | newlib/libc/posix/readdir_r.c | 8 |
2 files changed, 10 insertions, 4 deletions
diff --git a/newlib/ChangeLog b/newlib/ChangeLog index 93c133426..0a819332a 100644 --- a/newlib/ChangeLog +++ b/newlib/ChangeLog @@ -1,4 +1,8 @@ -2013-06-13 Bin Cheng <bin.cheng@arm.com> +2013-06-19 Terraneo Federico <fede.tft@hotmail.it> + + * libc/posix/readdir_r.c: Fix potential read past dirp->dd_buf. + +2013-06-13 Bir Cheng <bin.cheng@arm.com> * README: Add description for NEWLIB's feature customizing configuration options. diff --git a/newlib/libc/posix/readdir_r.c b/newlib/libc/posix/readdir_r.c index b9a0b9024..eafbeca6a 100644 --- a/newlib/libc/posix/readdir_r.c +++ b/newlib/libc/posix/readdir_r.c @@ -42,6 +42,7 @@ static char sccsid[] = "@(#)readdir.c 5.7 (Berkeley) 6/1/90"; #include <dirent.h> #include <errno.h> #include <string.h> +#include <sys/param.h> extern int getdents (int fd, void *dp, int count); @@ -84,16 +85,17 @@ struct dirent *tmpdp; continue; } tmpdp = (struct dirent *)(dirp->dd_buf + dirp->dd_loc); - memcpy (dp, tmpdp, sizeof(struct dirent)); - if (dp->d_reclen <= 0 || - dp->d_reclen > dirp->dd_len + 1 - dirp->dd_loc) { + if (tmpdp->d_reclen <= 0 || + tmpdp->d_reclen > dirp->dd_len + 1 - dirp->dd_loc) { #ifdef HAVE_DD_LOCK __lock_release_recursive(dirp->dd_lock); #endif *dpp = NULL; return -1; } + memcpy (dp, tmpdp, MIN (tmpdp->d_reclen, sizeof (struct dirent))); + dirp->dd_loc += dp->d_reclen; if (dp->d_ino == 0) continue; |