aboutsummaryrefslogtreecommitdiff
path: root/toys
diff options
context:
space:
mode:
authorAndy Chu <andychu@google.com>2016-03-19 23:11:30 -0700
committerRob Landley <rob@landley.net>2016-04-14 21:30:24 -0500
commit433296f8802ccf82eb32da3bfa002df2a8b5095a (patch)
treef6d98eeab74343cb31a0d9ff67ef07d447f00944 /toys
parentc73947814aab381a0761ecc919e6c5407c3fd617 (diff)
downloadtoybox-433296f8802ccf82eb32da3bfa002df2a8b5095a.tar.gz
Fix a buffer overflow in diff -r.
We were doing two 32-byte memset()s instead of two 16-byte memset()s. 'dir' referred to the instance (array of 2) and not the struct type. Add some test coverage for diff, including a case that hit this bug. The bug was found by running cp.test under AddressSanitizer, since it happens to use diff.
Diffstat (limited to 'toys')
-rw-r--r--toys/pending/diff.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/toys/pending/diff.c b/toys/pending/diff.c
index da6c13a0..53bdbce3 100644
--- a/toys/pending/diff.c
+++ b/toys/pending/diff.c
@@ -59,7 +59,7 @@ struct diff {
long a, b, c, d, prev, suff;
};
-static struct dir {
+static struct dir_t {
char **list;
int nr_elm;
} dir[2];
@@ -69,7 +69,7 @@ struct candidate {
struct candidate *prev, *next;
};
-static struct file {
+static struct file_t {
FILE *fp;
int len;
} file[2];
@@ -797,7 +797,7 @@ void diff_main(void)
if (S_ISDIR(st[0].st_mode) && S_ISDIR(st[1].st_mode)) {
for (j = 0; j < 2; j++) {
- memset(&dir[j], 0, sizeof(dir));
+ memset(&dir[j], 0, sizeof(struct dir_t));
dirtree_flagread(files[j], DIRTREE_SYMFOLLOW, list_dir);
dir[j].nr_elm = TT.size; //size updated in list_dir
qsort(&(dir[j].list[1]), (TT.size - 1), sizeof(char*), cmp);