From f7a0f9ecd56d6a3fb540b4eb81bdbc3a20ce1dff Mon Sep 17 00:00:00 2001 From: Zhijin Zeng Date: Mon, 29 Jun 2026 19:54:01 +0800 Subject: [PATCH] [WRAPPER] Fix out-of-bounds memory corruption caused by strncpy in my_readlink Two variables named `sz` exist in the `my_readlink` function, causing the parameter `sz` to be overwritten and resulting in out-of-bounds memory access. --- src/wrapped/wrappedlibc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/wrapped/wrappedlibc.c b/src/wrapped/wrappedlibc.c index ea061e0850..fcf398bb40 100644 --- a/src/wrapped/wrappedlibc.c +++ b/src/wrapped/wrappedlibc.c @@ -2113,9 +2113,10 @@ EXPORT ssize_t my_readlink(x64emu_t* emu, void* path, void* buf, size_t sz) sprintf(cmdline_name, "/proc/%d/cmdline", pid); FILE* cmdline = fopen(cmdline_name, "r"); if(cmdline) { - ssize_t sz = 0; + ssize_t sz_cmd = 0; char filename[4096] = {0}; // first arg should be the program name - sz = fread(filename, 1, 4095, cmdline); // keep last char to end the string + sz_cmd = fread(filename, 1, 4095, cmdline); // keep last char to end the string + sz = sz_cmd > sz ? sz : sz_cmd; fclose(cmdline); if(filename[0]=='/') { // absolute path, easy...