make globfree safe after failed glob from over-length argument

commit 0dc99ac413 added input length checking to avoid unsafe VLA allocation, but put it in the wrong place, before the glob_t structure was zeroed out. while POSIX isn't clear on whether it's permitted to call globfree after glob failed with GLOB_NOSPACE, making it safe is clearly better than letting uninitialized pointers get passed to free in non-conforming callers. while we're fixing this, change strlen check to the idiomatic strnlen version to avoid unbounded input scanning before returning an error.
2025-03-06 03:37:29 +00:00 · 2017-01-02 19:47:12 -05:00 · 2017-01-02 19:47:12 -05:00 · 769f53598e
commit 769f53598e
parent 61fb81e395
1 changed files with 2 additions and 2 deletions
--- a/src/regex/glob.c
+++ b/src/regex/glob.c
@ -169,8 +169,6 @@ int glob(const char *restrict pat, int flags, int (*errfunc)(const char *path, i
 		d = "";
 	}

-	if (strlen(p) > PATH_MAX) return GLOB_NOSPACE;
-
 	if (!errfunc) errfunc = ignore_err;

 	if (!(flags & GLOB_APPEND)) {
@ -179,6 +177,8 @@ int glob(const char *restrict pat, int flags, int (*errfunc)(const char *path, i
 		g->gl_pathv = NULL;
 	}

+	if (strnlen(p, PATH_MAX+1) > PATH_MAX) return GLOB_NOSPACE;
+
 	if (*p) error = match_in_dir(d, p, flags, errfunc, &tail);
 	if (error == GLOB_NOSPACE) {
 		freelist(&head);