win: fix buffer overflow in fs events

When converting an absolute path to a relative path on Windows, uv_relative_path assumed that the relative path could be no longer than MAX_PATH characters, and would allocate a buffer of MAX_PATH characters for the relative path. However, where a recursive watch is started for a directory using a UNC path, and where events within that directory occur for pathnames longer than MAX_PATH, it is possible for the relative path to exceed MAX_PATH characters and overflow the buffer. This commit fixes uv_relative_path to allocate a buffer for the exact number of characters counted in the relative path. Fixes: https://github.com/libuv/libuv/issues/693 PR-URL: https://github.com/libuv/libuv/pull/699 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com>
2016-01-26 12:21:52 +02:00 · 2016-01-26 12:21:52 +02:00 · b44abe20ef
commit b44abe20ef
parent 60db5b5a1b
1 changed files with 1 additions and 1 deletions
--- a/src/win/fs-event.c
+++ b/src/win/fs-event.c
@ -70,7 +70,7 @@ static int uv_relative_path(const WCHAR* filename,
  int filelen = wcslen(filename);
  if (dir[dirlen - 1] == '\\')
    dirlen--;
-  *relpath = uv__malloc((MAX_PATH + 1) * sizeof(WCHAR));
+  *relpath = uv__malloc((filelen - dirlen - 1 + 1) * sizeof(WCHAR));
  if (!*relpath)
    uv_fatal_error(ERROR_OUTOFMEMORY, "uv__malloc");
  wcsncpy(*relpath, filename + dirlen + 1, filelen - dirlen - 1);