------------------ Original ------------------
From: "Stefan Kangas" <stefankangas@gmail.com>;
Date: Fri, Nov 25, 2022 03:53 PM
To: "lux"<lx@shellcodes.org>;
Cc: "Eli Zaretskii"<eliz@gnu.org>;"59544"<59544@debbugs.gnu.org>;
Subject: Re: bug#59544: [PATCH] Fixed lib-src/etags.c command execute vulnerability
"lux" <lx@shellcodes.org> writes:
> I rewrote this code, not use system(1).
Thanks.
> From d6bc71f8640efe7caa2657a75c5aa4d8b4f0532c Mon Sep 17 00:00:00 2001
> From: lu4nx <lx@shellcodes.org>
> Date: Fri, 25 Nov 2022 14:38:29 +0800
> Subject: [PATCH] * Fixed lib-src/etags.c command execute vulnerability
>
> ---
> lib-src/etags.c | 44 +++++++++++++++++++++++++++++++-------------
> 1 file changed, 31 insertions(+), 13 deletions(-)
>
> diff --git a/lib-src/etags.c b/lib-src/etags.c
> index f665f35fa6..1bb352f565 100644
> --- a/lib-src/etags.c
> +++ b/lib-src/etags.c
> @@ -1387,9 +1387,11 @@ main (int argc, char **argv)
> /* From here on, we are in (CTAGS && !cxref_style) */
> if (update)
> {
> - char *cmd =
> - xmalloc (strlen (tagfile) + whatlen_max +
> - sizeof "mv..OTAGS;grep -Fv '\t\t' OTAGS >;rm OTAGS");
> + FILE *otags_f, *tag_f;
> + int buf_len;
> + char *buf;
> + char line[512];
> Hmm, I'm not sure about the hard-coded 512 character line limit here.
> ISTR that some people use much longer lines than that.
Hi, do you have any suggestions? At present, I think hardcoding 512 is enough, thanks :-)