From b44abe20ef359aff1d0054fbf69c240642bf0bf1 Mon Sep 17 00:00:00 2001 From: Joran Dirk Greef Date: Tue, 26 Jan 2016 12:21:52 +0200 Subject: [PATCH] win: fix buffer overflow in fs events MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When converting an absolute path to a relative path on Windows, uv_relative_path assumed that the relative path could be no longer than MAX_PATH characters, and would allocate a buffer of MAX_PATH characters for the relative path. However, where a recursive watch is started for a directory using a UNC path, and where events within that directory occur for pathnames longer than MAX_PATH, it is possible for the relative path to exceed MAX_PATH characters and overflow the buffer. This commit fixes uv_relative_path to allocate a buffer for the exact number of characters counted in the relative path. Fixes: https://github.com/libuv/libuv/issues/693 PR-URL: https://github.com/libuv/libuv/pull/699 Reviewed-By: Ben Noordhuis Reviewed-By: Saúl Ibarra Corretgé --- src/win/fs-event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/win/fs-event.c b/src/win/fs-event.c index 52c24a40..bb1a2bc1 100644 --- a/src/win/fs-event.c +++ b/src/win/fs-event.c @@ -70,7 +70,7 @@ static int uv_relative_path(const WCHAR* filename, int filelen = wcslen(filename); if (dir[dirlen - 1] == '\\') dirlen--; - *relpath = uv__malloc((MAX_PATH + 1) * sizeof(WCHAR)); + *relpath = uv__malloc((filelen - dirlen - 1 + 1) * sizeof(WCHAR)); if (!*relpath) uv_fatal_error(ERROR_OUTOFMEMORY, "uv__malloc"); wcsncpy(*relpath, filename + dirlen + 1, filelen - dirlen - 1);