mirror of
https://github.com/jart/cosmopolitan.git
synced 2025-01-31 03:27:39 +00:00
Fix buffer overflow in os.tmpname (#1180)
At least on macOS, `strlen(getenv("TMPDIR"))` is 50. We now allow a /tmp
that takes up to 120 or so bytes to spell. Instead of overflowing, we do
a bounds check and the function fails successfully on even longer /tmps.
Fixes #1108 (os.tmpname crashes redbean)
This commit is contained in:
Jōshin
GitHub
parent
4292348707
commit
65c9b28e99
2 changed files with 6 additions and 4 deletions
2
third_party/lua/README.cosmo
vendored
2
third_party/lua/README.cosmo
vendored
|
|
@ -36,3 +36,5 @@ LOCAL MODIFICATIONS
|
|||
Added Python-like printf modulus operator for strings.
|
||||
|
||||
Added Python-like printf multiply operator for strings.
|
||||
|
||||
Fixed a buffer overflow in os.tmpname
|
||||
|
|
|
|||
8
third_party/lua/loslib.c
vendored
8
third_party/lua/loslib.c
vendored
|
|
@ -133,12 +133,12 @@ __static_yoink("lua_notice");
|
|||
|
||||
#if defined(LUA_USE_POSIX) /* { */
|
||||
|
||||
#define LUA_TMPNAMBUFSIZE 32
|
||||
#define LUA_TMPNAMBUFSIZE 128
|
||||
|
||||
#define lua_tmpnam(b,e) { \
|
||||
strcpy(b, __get_tmpdir()); \
|
||||
strcat(b, "lua_XXXXXX"); \
|
||||
e = mkstemp(b); \
|
||||
strlcpy(b, __get_tmpdir(), LUA_TMPNAMBUFSIZE); \
|
||||
e = strlcat(b, "lua_XXXXXX", LUA_TMPNAMBUFSIZE) >= LUA_TMPNAMBUFSIZE; \
|
||||
e = e ? -1 : mkstemp(b); \
|
||||
if (e != -1) close(e); \
|
||||
e = (e == -1); }
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue