haiwen/seafile-server
1
0
Fork 0
mirror of https://github.com/haiwen/seafile-server.git synced 2025-09-06 18:00:18 +00:00
Code Issues Releases Wiki Activity

Check length of path before memcpy (#571)

Browse Source 
Co-authored-by: 杨赫然 <heran.yang@seafile.com>
This commit is contained in:
feiniks
2022-08-05 15:01:13 +08:00
committed by GitHub
parent 5ab20142e2
commit 9debeec57e
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lib/utils.c
View File

@@ -885,6 +885,7 @@ int copy_file (const char *dst, const char *src, int mode)
char* char*
ccnet_expand_path (const char *src) ccnet_expand_path (const char *src)
{ {
int total_len = 0;
#ifdef WIN32 #ifdef WIN32
char new_path[SEAF_PATH_MAX + 1]; char new_path[SEAF_PATH_MAX + 1];
char *p = new_path; char *p = new_path;
@@ -893,10 +894,18 @@ ccnet_expand_path (const char *src)
memset(new_path, 0, sizeof(new_path)); memset(new_path, 0, sizeof(new_path));
if (*src == '~') { if (*src == '~') {
const char *home = g_get_home_dir(); const char *home = g_get_home_dir();
total_len += strlen(home);
if (total_len > SEAF_PATH_MAX) {
return NULL;
}
memcpy(new_path, home, strlen(home)); memcpy(new_path, home, strlen(home));
p += strlen(new_path); p += strlen(new_path);
q++; q++;
} }
total_len += strlen(q);
if (total_len > SEAF_PATH_MAX) {
return NULL;
}
memcpy(p, q, strlen(q)); memcpy(p, q, strlen(q));
/* delete the charactor '\' or '/' at the end of the path /* delete the charactor '\' or '/' at the end of the path
@@ -933,6 +942,9 @@ ccnet_expand_path (const char *src)
pw = getpwuid (geteuid()); pw = getpwuid (geteuid());
} else { } else {
/* copy '~<user>' to new_path */ /* copy '~<user>' to new_path */
if (len > SEAF_PATH_MAX) {
return NULL;
}
memcpy (new_path, src, len); memcpy (new_path, src, len);
new_path[len] = '\0'; new_path[len] = '\0';
pw = getpwnam (new_path + 1); pw = getpwnam (new_path + 1);
@@ -941,6 +953,10 @@ ccnet_expand_path (const char *src)
return NULL; return NULL;
len = strlen (pw->pw_dir); len = strlen (pw->pw_dir);
total_len += len;
if (total_len > SEAF_PATH_MAX) {
return NULL;
}
memcpy (new_path, pw->pw_dir, len); memcpy (new_path, pw->pw_dir, len);
next_out = new_path + len; next_out = new_path + len;
*next_out = '\0'; *next_out = '\0';
@@ -977,6 +993,10 @@ ccnet_expand_path (const char *src)
} else if (ntoken[0] != '.' || len != 1) { } else if (ntoken[0] != '.' || len != 1) {
/* not '.' */ /* not '.' */
*next_out++ = '/'; *next_out++ = '/';
total_len += len;
if (total_len > SEAF_PATH_MAX) {
return NULL;
}
memcpy (next_out, ntoken, len); memcpy (next_out, ntoken, len);
next_out += len; next_out += len;
*next_out = '\0'; *next_out = '\0';