From 8a82a76a428dd9cba592103fbe0bc0dc556ad68b Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Mon, 21 Feb 2022 08:26:06 +0530
Subject: [PATCH] realpath: Do not copy result on failure (BZ #28815)

On failure, the contents of the resolved buffer passed in by the caller
to realpath are undefined.  Do not copy any partial resolution to the
buffer and also do not test resolved contents in test-canon.c.

Resolves: BZ #28815

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
(cherry picked from commit 949ad78a189194048df8a253bb31d1d11d919044)
---
 NEWS                  | 1 +
 stdlib/canonicalize.c | 4 ++--
 stdlib/test-canon.c   | 4 +++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index cf6102582e2..3a821a36fb7 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,7 @@ The following bugs are resolved with this release:
   [25812] Libio vtable protection is sometimes only partially enforced
   [27576] gmon: improve mcount overflow handling
   [27821] ungetc: Fix backup buffer leak on program exit
+  [28815] realpath should not copy to resolved buffer on error
   [28838] FAIL: elf/tst-p_align3
   [28846] CMSG_NXTHDR may trigger -Wstrict-overflow warning
   [28850] linux: __get_nprocs_sched reads uninitialized memory from the stack
diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c
index 6caed9e70e1..6237a41d42b 100644
--- a/stdlib/canonicalize.c
+++ b/stdlib/canonicalize.c
@@ -400,11 +400,11 @@ realpath_stk (const char *name, char *resolved,
 
 error:
   *dest++ = '\0';
-  if (resolved != NULL)
+  if (!failed && resolved != NULL)
     {
       if (dest - rname <= get_path_max ())
 	rname = strcpy (resolved, rname);
-      else if (!failed)
+      else
 	{
 	  failed = true;
 	  __set_errno (ENAMETOOLONG);
diff --git a/stdlib/test-canon.c b/stdlib/test-canon.c
index 185ccf4f483..2ad1218749d 100644
--- a/stdlib/test-canon.c
+++ b/stdlib/test-canon.c
@@ -174,7 +174,9 @@ do_test (int argc, char ** argv)
 	  continue;
 	}
 
-      if (!check_path (buf, tests[i].out ? tests[i].out : tests[i].resolved))
+      /* Only on success verify that buf contains the result too.  */
+      if (result != NULL
+	  && !check_path (buf, tests[i].out ? tests[i].out : tests[i].resolved))
 	{
 	  printf ("%s: flunked test %d (expected resolved `%s', got `%s')\n",
 		  argv[0], i, tests[i].out ? tests[i].out : tests[i].resolved,
-- 
2.47.2