[SV 65172] Avoid buffer overruns when expanding for $(shell ...)

Reported-by: MIAOW Miao <guoyr_2013@hotmail.com>
Patch from: Henrik Carlqvist <hc981@poolhem.se>
Test from: Dmitry Goncharov <dgoncharov@users.sf.net>

* src/expand.c (recursively_expand_for_file): Check the variable name
before checking for equality so we don't overrun the buffer.
* tests/scripts/functions/shell: Add a test with a very long variable.

diff --git a/src/expand.c b/src/expand.c
index f09243b62c2aedf97e6b1385aa992804bdbf770b..e840bc48da689f767ac1176f468c50b30694815f 100644 (file)
--- a/src/expand.c
+++ b/src/expand.c
@@ -163,7 +163,7 @@ recursively_expand_for_file (struct variable *v, struct file *file)
       /* We could create a hash for the original environment for speed, but a
          reasonably written makefile shouldn't hit this situation...  */
       for (ep = environ; *ep != 0; ++ep)
-        if ((*ep)[nl] == '=' && strncmp (*ep, v->name, nl) == 0)
+        if (strncmp (*ep, v->name, nl) == 0 && (*ep)[nl] == '=')
           return xstrdup ((*ep) + nl + 1);
 
       /* If there's nothing in the parent environment, use the empty string.

diff --git a/tests/scripts/functions/shell b/tests/scripts/functions/shell
index e5c346cc9767ecaa344466e13df4935120095031..b9b9ee3217a8686f58373f9ec748fd96a41ba495 100644 (file)
--- a/tests/scripts/functions/shell
+++ b/tests/scripts/functions/shell
@@ -213,4 +213,15 @@ endif
                   '--no-print-directory -j2', ": 2\n: 1");
 }
 
+if ($port_type eq 'UNIX') {
+    # sv 65172.
+    # Buffer overrun in recursively_expand_for_file on a variable with a long
+    # name.
+    my $v = "a1234567890" x 4 x 1000;
+    run_make_test("
+export $v=\$(shell echo hello)
+all:; \@echo \$\$$v
+", '', "hello\n");
+}
+
 1;