1 --- lib/sh/eaccess.c	2012-10-09 12:45:17.924274300 -0700

     2 +++ lib/sh/eaccess.c	2012-10-09 12:44:21.930979200 -0700

     3 @@ -40,6 +40,10 @@

     4  #if !defined (_POSIX_VERSION) && defined (HAVE_SYS_FILE_H)

     5  #  include <sys/file.h>

     6  #endif /* !_POSIX_VERSION */

     7 +

     8 +#include <string.h> /* memset(3C) */

     9 +#include <limits.h> /* _XOPEN_PATH_MAX */

    10 +

    11  #include "posixstat.h"

    12  #include "filecntl.h"

    13  

    14 @@ -82,7 +86,7 @@

    15       const char *path;

    16       struct stat *finfo;

    17  {

    18 -  static char *pbuf = 0;

    19 +  static char pbuf[_XOPEN_PATH_MAX + 1];

    20  

    21    if (*path == '\0')

    22      {

    23 @@ -108,9 +112,11 @@

    24       trailing slash.  Make sure /dev/fd/xx really uses DEV_FD_PREFIX/xx.

    25       On most systems, with the notable exception of linux, this is

    26       effectively a no-op. */

    27 -      pbuf = xrealloc (pbuf, sizeof (DEV_FD_PREFIX) + strlen (path + 8));

    28 +  /* The way CVE-2012-3410 was fixed is wrong */

    29 +      (void) memset (pbuf, '\0', sizeof(pbuf));

    30        strcpy (pbuf, DEV_FD_PREFIX);

    31 -      strcat (pbuf, path + 8);

    32 +      strncat (pbuf, path + 8,

    33 +          (size_t) (sizeof(pbuf) - sizeof(DEV_FD_PREFIX)));

    34        return (stat (pbuf, finfo));

    35  #endif /* !HAVE_DEV_FD */

    36      }