Revision 1.287 introduces a bug, the reporter says "The size returned in the dls_size field is incorrect, causing subsequent calls of dlinfo() into a buffer of that size to buffer overflow (hence marked as critical)." diff -u -p -r1.286 -r1.287 --- elf/dl-load.c 30 Jun 2007 17:01:07 -0000 1.286 +++ elf/dl-load.c 12 Jul 2007 18:15:27 -0000 1.287 @@ -2273,14 +2273,17 @@ _dl_rtld_di_serinfo (struct link_map *lo if (counting) { si->dls_cnt++; - si->dls_size += r->dirnamelen; + si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2; } else { Dl_serpath *const sp = &si->dls_serpath[idx++]; sp->dls_name = allocptr; - allocptr = __mempcpy (allocptr, - r->dirname, r->dirnamelen - 1); + if (r->dirnamelen < 2) + *allocptr++ = r->dirnamelen ? '/' : '.'; + else + allocptr = __mempcpy (allocptr, + r->dirname, r->dirnamelen - 1); *allocptr++ = '\0'; sp->dls_flags = flags; } Ok to commit the appended fix? I would like to add it for both 2.7 and head, Andreas 2007-10-28 Andreas Jaeger [BZ #5222] * elf/dl-load.c (_dl_rtld_di_serinfo): Correctly compute dls_size. Reported by Stefanus Du Toit . ============================================================ Index: elf/dl-load.c --- elf/dl-load.c 3 Aug 2007 15:50:24 -0000 1.288 +++ elf/dl-load.c 28 Oct 2007 05:41:48 -0000 @@ -2274,7 +2274,7 @@ _dl_rtld_di_serinfo (struct link_map *lo if (counting) { si->dls_cnt++; - si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2; + si->dls_size += r->dirnamelen > 2 ? r->dirnamelen : 2; } else { -- Andreas Jaeger, Director Platform / openSUSE, aj@suse.de SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126