From e0bc951ff251907bbfee2e43c3ffcc9e8fe64c54 Mon Sep 17 00:00:00 2001
From: Gireesh Punathil <gpunathi@in.ibm.com>
Date: Tue, 6 Nov 2018 10:29:32 -0500
Subject: [PATCH] aix: fix race in uv_get_process_title()

The length calculation of the title string was
performed outside of the mutex, causing data corruption
in heavily contended scenarios. Move the length
computation to within the mutex block

Fixes: https://github.com/libuv/libuv/issues/2063
PR-URL: https://github.com/libuv/libuv/pull/2069
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
---
 src/unix/aix.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/unix/aix.c b/src/unix/aix.c
index 92de8148..baac8e6c 100644
--- a/src/unix/aix.c
+++ b/src/unix/aix.c
@@ -886,16 +886,20 @@ int uv_set_process_title(const char* title) {
 
 int uv_get_process_title(char* buffer, size_t size) {
   size_t len;
-  len = strlen(process_argv[0]);
   if (buffer == NULL || size == 0)
     return UV_EINVAL;
-  else if (size <= len)
-    return UV_ENOBUFS;
 
   uv_once(&process_title_mutex_once, init_process_title_mutex_once);
   uv_mutex_lock(&process_title_mutex);
 
-  memcpy(buffer, process_argv[0], len + 1);
+  len = strlen(process_argv[0]);
+  if (size <= len) {
+    uv_mutex_unlock(&process_title_mutex);
+    return UV_ENOBUFS;
+  }
+
+  memcpy(buffer, process_argv[0], len);
+  buffer[len] = '\0';
 
   uv_mutex_unlock(&process_title_mutex);