Fix bug #17334 with overrunning string bounds when PATH is broken.

 nt/cmdproxy.c (make_absolute): Don't copy more characters from PATH
 than a single directory name can hold.

diff --git a/nt/ChangeLog b/nt/ChangeLog
index 97d4270..299879c 100644 (file)
--- a/nt/ChangeLog
+++ b/nt/ChangeLog
@@ -1,3 +1,8 @@
+2014-04-26  Eli Zaretskii  <eliz@gnu.org>
+
+       * cmdproxy.c (make_absolute): Don't copy more characters from PATH
+       than a single directory name can hold.  (Bug#17334)
+
 2014-04-21  Eli Zaretskii  <eliz@gnu.org>
 
        * inc/ms-w32.h (lseek): Define only if not already a macro.

diff --git a/nt/cmdproxy.c b/nt/cmdproxy.c
index f3433f6..e48ca63 100644 (file)
--- a/nt/cmdproxy.c
+++ b/nt/cmdproxy.c
@@ -292,11 +292,15 @@ make_absolute (const char *prog)
 
   while (*path)
     {
+      size_t len;
+
       /* Get next directory from path.  */
       p = path;
       while (*p && *p != ';') p++;
-      strncpy (dir, path, p - path);
-      dir[p - path] = '\0';
+      /* A broken PATH could have too long directory names in it.  */
+      len = min (p - path, sizeof (dir) - 1);
+      strncpy (dir, path, len);
+      dir[len] = '\0';
 
       /* Search the directory for the program.  */
       if (search_dir (dir, prog, MAX_PATH, absname) > 0)