From 41e5ae80b16369143f6da0b0f6d3e7bb33256391 Mon Sep 17 00:00:00 2001
From: Chris Down <chris@chrisdown.name>
Date: Mon, 16 Feb 2026 13:06:31 +0800
Subject: [PATCH] pwd: fix heap buffer overflow in file_name_prepend

file_name_prepend works by right-aligning path data in a growing buffer.
When the buffer is too small, it then allocates a new buffer via
xpalloc() and copies existing data to the end of the new buffer.

Unfortunately, the memcpy destination is computed as buf + p->n_alloc -
n_free, but xpalloc has already updated p->n_alloc to the new (larger)
allocation size while n_free still reflects the old state. This places
the data at too high an offset, writing past the end of the buffer.

Update to properly calculate the destination offset.

Fixes: v9.5-171-g61ab25c35 ("pwd: prefer xpalloc to xnrealloc")
---
 src/pwd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pwd.c b/src/pwd.c
index 4f30d07653..486e8e670f 100644
--- a/src/pwd.c
+++ b/src/pwd.c
@@ -112,7 +112,7 @@ file_name_prepend (struct file_name *p, char const *s, size_t s_len)
          copy it only once.  */
       idx_t n_used = p->n_alloc - n_free;
       char *buf = xpalloc (NULL, &p->n_alloc, 1 + s_len - n_free, -1, 1);
-      p->start = memcpy (buf + p->n_alloc - n_free, p->start, n_used);
+      p->start = memcpy (buf + p->n_alloc - n_used, p->start, n_used);
       free (p->buf);
       p->buf = buf;
     }
-- 
2.47.3