Fix bug #17334 with overrunning string bounds when PATH is broken.

nt/cmdproxy.c (make_absolute): Don't copy more characters from PATH than a single directory name can hold.
author: Eli Zaretskii <eliz@gnu.org> 2014-04-26 10:06:33 +0300
committer: Eli Zaretskii <eliz@gnu.org> 2014-04-26 10:06:33 +0300
commit: 7ece6d40142cad22fe342ae522e24c9b8b5e75a3 (patch)
tree: e3d5ea90a5e58c3a444caa5ed27247b0e0d6dd2a /nt
parent: 0507406b6ca75c4366dd16855123e8fc9b012c6b (diff)
download: emacs-7ece6d40142cad22fe342ae522e24c9b8b5e75a3.tar.gz
2 files changed, 11 insertions, 2 deletions
diff --git a/nt/ChangeLog b/nt/ChangeLog
index 97d42701c3c..299879ccba8 100644
--- a/nt/ChangeLog
+++ b/nt/ChangeLog
@@ -1,3 +1,8 @@
+2014-04-26  Eli Zaretskii  <eliz@gnu.org>
+
+	* cmdproxy.c (make_absolute): Don't copy more characters from PATH
+	than a single directory name can hold.  (Bug#17334)
+
 2014-04-21  Eli Zaretskii  <eliz@gnu.org>
 
 	* inc/ms-w32.h (lseek): Define only if not already a macro.
diff --git a/nt/cmdproxy.c b/nt/cmdproxy.c
index f3433f63684..e48ca63a257 100644
--- a/nt/cmdproxy.c
+++ b/nt/cmdproxy.c
@@ -292,11 +292,15 @@ make_absolute (const char *prog)
 
   while (*path)
     {
+      size_t len;
+
       /* Get next directory from path.  */
       p = path;
       while (*p && *p != ';') p++;
-      strncpy (dir, path, p - path);
-      dir[p - path] = '\0';
+      /* A broken PATH could have too long directory names in it.  */
+      len = min (p - path, sizeof (dir) - 1);
+      strncpy (dir, path, len);
+      dir[len] = '\0';
 
       /* Search the directory for the program.  */
       if (search_dir (dir, prog, MAX_PATH, absname) > 0)
author	Eli Zaretskii <eliz@gnu.org>	2014-04-26 10:06:33 +0300
committer	Eli Zaretskii <eliz@gnu.org>	2014-04-26 10:06:33 +0300
commit	7ece6d40142cad22fe342ae522e24c9b8b5e75a3 (patch)
tree	e3d5ea90a5e58c3a444caa5ed27247b0e0d6dd2a /nt
parent	0507406b6ca75c4366dd16855123e8fc9b012c6b (diff)
download	emacs-7ece6d40142cad22fe342ae522e24c9b8b5e75a3.tar.gz