From 433296f8802ccf82eb32da3bfa002df2a8b5095a Mon Sep 17 00:00:00 2001 From: Andy Chu Date: Sat, 19 Mar 2016 23:11:30 -0700 Subject: Fix a buffer overflow in diff -r. We were doing two 32-byte memset()s instead of two 16-byte memset()s. 'dir' referred to the instance (array of 2) and not the struct type. Add some test coverage for diff, including a case that hit this bug. The bug was found by running cp.test under AddressSanitizer, since it happens to use diff. --- toys/pending/diff.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'toys/pending/diff.c') diff --git a/toys/pending/diff.c b/toys/pending/diff.c index da6c13a0..53bdbce3 100644 --- a/toys/pending/diff.c +++ b/toys/pending/diff.c @@ -59,7 +59,7 @@ struct diff { long a, b, c, d, prev, suff; }; -static struct dir { +static struct dir_t { char **list; int nr_elm; } dir[2]; @@ -69,7 +69,7 @@ struct candidate { struct candidate *prev, *next; }; -static struct file { +static struct file_t { FILE *fp; int len; } file[2]; @@ -797,7 +797,7 @@ void diff_main(void) if (S_ISDIR(st[0].st_mode) && S_ISDIR(st[1].st_mode)) { for (j = 0; j < 2; j++) { - memset(&dir[j], 0, sizeof(dir)); + memset(&dir[j], 0, sizeof(struct dir_t)); dirtree_flagread(files[j], DIRTREE_SYMFOLLOW, list_dir); dir[j].nr_elm = TT.size; //size updated in list_dir qsort(&(dir[j].list[1]), (TT.size - 1), sizeof(char*), cmp); -- cgit v1.2.3