From: Dan Fandrich <dan@coneharvesters.com>
Date: Thu, 5 Feb 2009 00:13:40 +0000 (+0000)
Subject: Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
X-Git-Tag: curl-7_19_4~64
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77da9a00871cbdbb624f9560f7fcd40fbeda046f;p=thirdparty%2Fcurl.git

Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
This couldn't ever overflow in curl, but might if the code were used
elsewhere or under different conditions.
---

diff --git a/CHANGES b/CHANGES
index 5f23851808..bcf0229eeb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -10,6 +10,10 @@ Daniel Fandrich (4 Feb 2009)
 - Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS
   (respectively) when --with-ssl=/usr is used (patch based on FreeBSD).
 
+- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
+  This couldn't ever overflow in curl, but might if the code were used
+  elsewhere or under different conditions.
+
 Daniel Stenberg (3 Feb 2009)
 - Hidemoto Nakada provided a small fix that makes it possible to get the
   CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with
diff --git a/src/main.c b/src/main.c
index db2a1307bd..16abdfb7b8 100644
--- a/src/main.c
+++ b/src/main.c
@@ -5350,12 +5350,14 @@ static char *basename(char *path)
 static const char *
 msdosify (const char *file_name)
 {
-  static char dos_name[PATH_MAX*2];
-  static const char illegal_chars_dos[] = ".+, ;=[]|<>\\\":?*";
+  static char dos_name[PATH_MAX];
+  static const char illegal_chars_dos[] = ".+, ;=[]" /* illegal in DOS */
+                                       "|<>\\\":?*"; /* illegal in DOS & W95 */
   static const char *illegal_chars_w95 = &illegal_chars_dos[8];
   int idx, dot_idx;
   const char *s = file_name;
   char *d = dos_name;
+  const char * const dlimit = dos_name + sizeof(dos_name) - 1;
   const char *illegal_aliens = illegal_chars_dos;
   size_t len = sizeof (illegal_chars_dos) - 1;
   int lfn = 0;
@@ -5376,7 +5378,7 @@ msdosify (const char *file_name)
     *d++ = *s++;
   }
 
-  for (idx = 0, dot_idx = -1; *s; s++, d++) {
+  for (idx = 0, dot_idx = -1; *s && d < dlimit; s++, d++) {
     if (memchr (illegal_aliens, *s, len)) {
       /* Dots are special: DOS doesn't allow them as the leading character,
          and a file name cannot have more than a single dot.  We leave the