[SV 65172] Avoid buffer overruns when expanding for $(shell ...)

Reported-by: MIAOW Miao <guoyr_2013@hotmail.com> Patch from: Henrik Carlqvist <hc981@poolhem.se> Test from: Dmitry Goncharov <dgoncharov@users.sf.net> * src/expand.c (recursively_expand_for_file): Check the variable name before checking for equality so we don't overrun the buffer. * tests/scripts/functions/shell: Add a test with a very long variable.
2025-01-13 13:50:05 +08:00 · 2024-01-18 17:54:59 -05:00 · 2024-01-18 17:54:59 -05:00 · 25049fef16
commit 25049fef16
parent 31036e648f
2 changed files with 12 additions and 1 deletions
--- a/src/expand.c
+++ b/src/expand.c
@ -163,7 +163,7 @@ recursively_expand_for_file (struct variable *v, struct file *file)
      /* We could create a hash for the original environment for speed, but a
         reasonably written makefile shouldn't hit this situation...  */
      for (ep = environ; *ep != 0; ++ep)
-        if ((*ep)[nl] == '=' && strncmp (*ep, v->name, nl) == 0)
+        if (strncmp (*ep, v->name, nl) == 0 && (*ep)[nl] == '=')
          return xstrdup ((*ep) + nl + 1);

      /* If there's nothing in the parent environment, use the empty string.
--- a/tests/scripts/functions/shell
+++ b/tests/scripts/functions/shell
@ -213,4 +213,15 @@ endif
                  '--no-print-directory -j2', ": 2\n: 1");
 }

+if ($port_type eq 'UNIX') {
+    # sv 65172.
+    # Buffer overrun in recursively_expand_for_file on a variable with a long
+    # name.
+    my $v = "a1234567890" x 4 x 1000;
+    run_make_test("
+export $v=\$(shell echo hello)
+all:; \@echo \$\$$v
+", '', "hello\n");
+}
+
 1;