Skip to content

gfileutils: Correctly reset start value when canonicalising paths

Philip Withnall requested to merge pwithnall/glib:ossfuzz-41563-canonical-triple-slash-dot-dot into main

If a path starts with more than two slashes, the start value was previously incorrect:

  1. As per the g_path_skip_root() call, start was set to point to after the final initial slash. For a path with three initial slashes, this is the character after the third slash.
  2. The canonicalisation loop to find the first dir separator sets output to point to the character after the first slash (and it overwrites the first slash to be G_DIR_SEPARATOR).
  3. At this point, with a string ///usr, output points to the second /; and start points to the u. This is incorrect, as start should point to the starting character for output, as per the original call to g_path_skip_root().
  4. For paths which subsequently include a .., this results in the output > start check in the .. loop below not skipping all the characters of a preceding path component, which is then caught by the G_IS_DIR_SEPARATOR (output[-1]) assertion.

Signed-off-by: Philip Withnall pwithnall@endlessos.org

oss-fuzz#41563

Merge request reports