# HG changeset patch # User stuefe # Date 1473759511 -7200 # Tue Sep 13 11:38:31 2016 +0200 # Node ID ab45e19ad217d4debbac1dd6c4324c9334e96a49 # Parent d6a338c11d88db324694fb52f9ff4735b486830b 8165936: Potential Heap buffer overflow when seaching timezone info files Summary: readdir_r called with too small buffer Reviewed-by: diff --git a/src/java.base/unix/native/libjava/TimeZone_md.c b/src/java.base/unix/native/libjava/TimeZone_md.c --- a/src/java.base/unix/native/libjava/TimeZone_md.c +++ b/src/java.base/unix/native/libjava/TimeZone_md.c @@ -134,7 +134,20 @@ return NULL; } - entry = (struct dirent64 *) malloc((size_t) pathconf(dir, _PC_NAME_MAX)); + long name_max = pathconf(dir, _PC_NAME_MAX); + // If pathconf did not work, fall back to NAME_MAX. + if (name_max < 0) { + name_max = NAME_MAX; + } + // Some older System V systems have a very small NAME_MAX size of 14; as + // there is no way to tell readdir_r the output buffer size, lets enforce + // a mimimum buffer size. + const long min = 1024; + if (name_max < min) { + name_max = min; + } + + entry = (struct dirent64 *) malloc(offsetof(struct dirent, d_name) + name_max + 1); if (entry == NULL) { (void) closedir(dirp); return NULL;