From 5d6ace6121ae07ba603ae2c5b6e4593449875e6f Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 21 Dec 2016 07:50:14 +0000
Subject: Fixed potentially buffer overrun.

* win32/win32.c (winnt_stat): the return value of `get_final_path` is the
  expected buffer length, not the actuall filled length.

* win32/win32.c (winnt_stat): `finalname` may be accessed in the outer block of
  its definition via `path`.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57135 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 win32/win32.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'win32/win32.c')

diff --git a/win32/win32.c b/win32/win32.c
index 17dce8d016..decf81846d 100644
--- a/win32/win32.c
+++ b/win32/win32.c
@@ -5547,11 +5547,11 @@ static int
 winnt_stat(const WCHAR *path, struct stati64 *st)
 {
     HANDLE f;
+    WCHAR finalname[PATH_MAX];
 
     memset(st, 0, sizeof(*st));
     f = open_special(path, 0, 0);
     if (f != INVALID_HANDLE_VALUE) {
-	WCHAR finalname[PATH_MAX];
 	const DWORD attr = stati64_handle(f, st);
 	const DWORD len = get_final_path(f, finalname, numberof(finalname), 0);
 	CloseHandle(f);
@@ -5560,7 +5560,7 @@ winnt_stat(const WCHAR *path, struct stati64 *st)
 	}
 	st->st_mode = fileattr_to_unixmode(attr, path);
 	if (len) {
-	    finalname[len] = L'\0';
+	    finalname[min(len, PATH_MAX-1)] = L'\0';
 	    path = finalname;
 	    if (wcsncmp(path, namespace_prefix, numberof(namespace_prefix)) == 0)
 		path += numberof(namespace_prefix);
-- 
cgit v1.2.3