From: Paul Smith <psmith@gnu.org>
Date: Thu, 18 Jan 2024 22:54:59 +0000 (-0500)
Subject: [SV 65172] Avoid buffer overruns when expanding for $(shell ...)
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=25049fef16d7ccac1836443cb2888231a4d694b5;p=thirdparty%2Fmake.git

[SV 65172] Avoid buffer overruns when expanding for $(shell ...)

Reported-by: MIAOW Miao <guoyr_2013@hotmail.com>
Patch from: Henrik Carlqvist <hc981@poolhem.se>
Test from: Dmitry Goncharov <dgoncharov@users.sf.net>

* src/expand.c (recursively_expand_for_file): Check the variable name
before checking for equality so we don't overrun the buffer.
* tests/scripts/functions/shell: Add a test with a very long variable.
---

diff --git a/src/expand.c b/src/expand.c
index f09243b6..e840bc48 100644
--- a/src/expand.c
+++ b/src/expand.c
@@ -163,7 +163,7 @@ recursively_expand_for_file (struct variable *v, struct file *file)
       /* We could create a hash for the original environment for speed, but a
          reasonably written makefile shouldn't hit this situation...  */
       for (ep = environ; *ep != 0; ++ep)
-        if ((*ep)[nl] == '=' && strncmp (*ep, v->name, nl) == 0)
+        if (strncmp (*ep, v->name, nl) == 0 && (*ep)[nl] == '=')
           return xstrdup ((*ep) + nl + 1);
 
       /* If there's nothing in the parent environment, use the empty string.
diff --git a/tests/scripts/functions/shell b/tests/scripts/functions/shell
index e5c346cc..b9b9ee32 100644
--- a/tests/scripts/functions/shell
+++ b/tests/scripts/functions/shell
@@ -213,4 +213,15 @@ endif
                   '--no-print-directory -j2', ": 2\n: 1");
 }
 
+if ($port_type eq 'UNIX') {
+    # sv 65172.
+    # Buffer overrun in recursively_expand_for_file on a variable with a long
+    # name.
+    my $v = "a1234567890" x 4 x 1000;
+    run_make_test("
+export $v=\$(shell echo hello)
+all:; \@echo \$\$$v
+", '', "hello\n");
+}
+
 1;