sed: fix symlink bufsize readlink check

Problem reported by Hauke Mehrtens.
* sed/utils.c (follow_symlink): Fix typo when checking size of
second and later symlink, when that symlink is so large that it
does not fit into the buffer.  Although the bug is not a buffer
overflow, it does cause sed to mishandle the symlink.
* testsuite/follow-symlinks.sh: Test for the bug.

3 files changed, 18 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index c6adcda..a2e5334 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ GNU sed NEWS                                    -*- outline -*-
 
 * Noteworthy changes in release ?.? (????-??-??) [?]
 
+  'sed --follow-symlinks -i' no longer mishandles an operand that is a
+  short symbolic link to a long symbolic link to a file.
+  [bug introduced in sed 4.9]
+
 
 * Noteworthy changes in release 4.9 (2022-11-06) [stable]
 
diff --git a/sed/utils.c b/sed/utils.c
index 4bd6587..03243c2 100644
--- a/sed/utils.c
+++ b/sed/utils.c
@@ -345,7 +345,7 @@ follow_symlink (const char *fname)
       while ((linklen = (buf_used < buf_size
                          ? readlink (fn, buf + buf_used, buf_size - buf_used)
                          : 0))
-             == buf_size)
+             == buf_size - buf_used)
         {
           buf = xpalloc (buf, &buf_size, 1, SSIZE_IDX_MAX, 1);
           if (num_links)
diff --git a/testsuite/follow-symlinks.sh b/testsuite/follow-symlinks.sh
index 880a80e..c418804 100644
--- a/testsuite/follow-symlinks.sh
+++ b/testsuite/follow-symlinks.sh
@@ -73,4 +73,17 @@ compare_ exp-la-abs out-la-abs || fail=1
 ln -s la-loop la-loop || framework_failure_
 sed --follow-symlinks -i s/a/b/ la-loop && fail=1
 
+# symlink of length 128
+long=d/
+for i in 2 3 4 5 6 7; do
+  long=$long$long
+done
+dir=${long%/d/}
+file=$dir/xx
+mkdir -p $dir &&
+echo x >$file &&
+ln -s $file yy &&
+ln -s yy xx || framework_failure_
+sed -i --follow-symlinks s/x/y/ xx || fail=1
+
 Exit $fail