From: Daniel P. Berrange <berrange@redhat.com>
Date: Tue, 22 Feb 2011 17:08:12 +0000 (+0000)
Subject: Fix off-by-1 in virFileAbsPath.
X-Git-Tag: CVE-2011-1146~108
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f5bbe3b926b52c6490346fd3c026546caadaefd;p=thirdparty%2Flibvirt.git

Fix off-by-1 in virFileAbsPath.

The virFileAbsPath was not taking into account the '/' directory
separator when allocating memory for combining cwd + path. Convert
to use virAsprintf to avoid this type of bug completely.

* src/util/util.c: Convert virFileAbsPath to use virAsprintf
---

diff --git a/src/util/util.c b/src/util/util.c
index 965e96def8..ee08d47400 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -1990,30 +1990,22 @@ cleanup:
 int virFileAbsPath(const char *path, char **abspath)
 {
     char *buf;
-    int cwdlen;
 
     if (path[0] == '/') {
-        buf = strdup(path);
-        if (buf == NULL)
-            return(-1);
+        if (!(*abspath = strdup(path)))
+            return -1;
     } else {
         buf = getcwd(NULL, 0);
         if (buf == NULL)
-            return(-1);
+            return -1;
 
-        cwdlen = strlen(buf);
-        /* cwdlen includes the null terminator */
-        if (VIR_REALLOC_N(buf, cwdlen + strlen(path) + 1) < 0) {
+        if (virAsprintf(abspath, "%s/%s", buf, path) < 0) {
             VIR_FREE(buf);
-            errno = ENOMEM;
-            return(-1);
+            return -1;
         }
-
-        buf[cwdlen] = '/';
-        strcpy(&buf[cwdlen + 1], path);
+        VIR_FREE(buf);
     }
 
-    *abspath = buf;
     return 0;
 }