find: fix potential buffer overflow in -execdir and -okdir

* lib/buildcmd.c (bc_push_arg): Take prefix length into account
to avoid state->argbuf overflow.
* NEWS: Mention this fix.

3 files changed, 10 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index 6cd3ae6e..bce37901 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-09-21  Dmitry V. Levin  <ldv@altlinux.org>
+
+	find: fix potential buffer overflow in -execdir and -okdir.
+	* lib/buildcmd.c (bc_push_arg): Take prefix length into account
+	to avoid state->argbuf overflow.
+	* NEWS: Mention this fix.
+
 2013-09-21  James Youngman  <jay@gnu.org>
 
 	Make sv-34976-execdir-fd-leak.sh test more POSIX-compliant.
diff --git a/NEWS b/NEWS
index 2fbc5da3..78febdb1 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,8 @@ The documentation for xargs now warns about parallel processes (xargs
 Some bugs in 4.5.11 were fixed without adding them to the bug
 database, though they are in the ChangeLog:
 
+*** find -execdir/-okdir potential buffer overflow.
+
 *** Use of [[ ... ]] in find/testsuite/sv-bug-32043.sh
 
 *** Don't delete header files in "lib/" for "make clean".
diff --git a/lib/buildcmd.c b/lib/buildcmd.c
index d1356920..2616ed6f 100644
--- a/lib/buildcmd.c
+++ b/lib/buildcmd.c
@@ -364,7 +364,7 @@ bc_push_arg (struct buildcmd_control *ctl,
 
   if (!terminate)
     {
-      if (state->cmd_argv_chars + len > ctl->arg_max)
+      if (state->cmd_argv_chars + len + pfxlen > ctl->arg_max)
         {
           if (initial_args || state->cmd_argc == ctl->initial_argc)
             error (EXIT_FAILURE, 0,