From de9061b214a3b32aeb7ed5bd6374db0674fba578 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Mon, 27 Aug 2007 11:01:39 +0300
Subject: Fix monday morning thinkos wrt macro buffer changes. The expanded
 size is of course not known beforehand.. check for size before copying
 instead.

---
 rpmio/macro.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/rpmio/macro.c b/rpmio/macro.c
index b5363ef00..4f9be0700 100644
--- a/rpmio/macro.c
+++ b/rpmio/macro.c
@@ -599,13 +599,15 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen)
 	/*@globals rpmGlobalMacroContext, h_errno, fileSystem @*/
 	/*@modifies mb, rpmGlobalMacroContext, fileSystem @*/
 {
-    char *pcmd;
+    char pcmd[BUFSIZ];
     FILE *shf;
     int rc;
     int c;
 
-    pcmd = alloca(clen + 1);
-    memset(pcmd, 0, (clen + 1));
+    if (clen >= sizeof(pcmd)) {
+	rpmError(RPMERR_BADSPEC, _("Target buffer overflow\n"));
+	return 1;
+    }
 
     strncpy(pcmd, cmd, clen);
     pcmd[clen] = '\0';
@@ -1082,11 +1084,12 @@ doOutput(MacroBuf mb, int waserror, const char * msg, size_t msglen)
 	/*@globals rpmGlobalMacroContext, h_errno, fileSystem @*/
 	/*@modifies mb, rpmGlobalMacroContext, fileSystem @*/
 {
-    char *buf;
-
-    buf = alloca(msglen + 1);
-    memset(buf, 0, (msglen + 1));
+    char buf[BUFSIZ];
 
+    if (msglen >= sizeof(buf)) {
+	rpmError(RPMERR_BADSPEC, _("Target buffer overflow\n"));
+	msglen = sizeof(buf) - 1;
+    }
     strncpy(buf, msg, msglen);
     buf[msglen] = '\0';
     (void) expandU(mb, buf, sizeof(buf));
@@ -1111,12 +1114,15 @@ doFoo(MacroBuf mb, int negate, const char * f, size_t fn,
 	/*@globals rpmGlobalMacroContext, h_errno, fileSystem, internalState @*/
 	/*@modifies mb, rpmGlobalMacroContext, fileSystem, internalState @*/
 {
-    char *buf, *b = NULL, *be;
+    char buf[BUFSIZ], *b = NULL, *be;
     int c;
 
-    buf = alloca(gn + 1);
-    memset(buf, 0, gn + 1);
+    buf[0] = '\0';
     if (g != NULL) {
+	if (gn >= sizeof(buf)) {
+	    rpmError(RPMERR_BADSPEC, _("Target buffer overflow\n"));
+	    gn = sizeof(buf) - 1;
+        }
 	strncpy(buf, g, gn);
 	buf[gn] = '\0';
 	(void) expandU(mb, buf, sizeof(buf));
-- 
cgit v1.2.3