Patch fixing buffer overflow in trunk

[Bernhard Herzog]

Hi,

since yesterday I've been running into crashes when starting emacs from
bzr trunk that seemed to depend on the current working directory.
E.g. starting from one particular directory would lead to a practically
immediate crash with the output:

*** glibc detected *** emacs: malloc(): memory corruption: 0x086c6c90 ***
======= Backtrace: =========
/lib/libc.so.6[0xb7505845]

Changing into another directory, e.g. the parent directory of the one
where it just failed, would solve the problem and emacs would start.

Investigating further, it seemed to depend on the length of the absolute
name of the current directory.  And a little bisecting in the bzr
history showed that the defect was introduced in revision 100117 in the
following lines:

--- src/xsmfns.c        2010-02-10 09:29:28 +0000
+++ src/xsmfns.c        2010-05-02 18:44:04 +0000

@@ -246,7 +251,19 @@
 
   props[props_idx]->vals[2].length = strlen (NOSPLASH_OPT);
   props[props_idx]->vals[2].value = NOSPLASH_OPT;
-  val_idx += 3;
+
+  cwd = get_current_dir_name ();
+  if (cwd) 
+    {
+      chdir_opt = xmalloc (strlen (CHDIR_OPT) + strlen (client_id) + 1);
+      strcpy (chdir_opt, CHDIR_OPT);
+      strcat (chdir_opt, cwd);
+
+      props[props_idx]->vals[3].length = strlen (chdir_opt);
+      props[props_idx]->vals[3].value = chdir_opt;
+    }
+
+  val_idx += cwd ? 4 : 3;
   ++props_idx;
 
   /* User id.  */


Clearly, that strlen (client_id) should actually be strlen (cwd).  The
patch below fixes this.

  Bernhard


=== modified file 'src/xsmfns.c'
--- src/xsmfns.c        2010-05-02 18:44:04 +0000
+++ src/xsmfns.c        2010-05-04 14:33:08 +0000
@@ -255,7 +255,7 @@
   cwd = get_current_dir_name ();
   if (cwd) 
     {
-      chdir_opt = xmalloc (strlen (CHDIR_OPT) + strlen (client_id) + 1);
+      chdir_opt = xmalloc (strlen (CHDIR_OPT) + strlen (cwd) + 1);
       strcpy (chdir_opt, CHDIR_OPT);
       strcat (chdir_opt, cwd);

pgpnyXgRONwy7.pgp
Description: PGP signature