From be24b4dfccfda38c776545d571897ab17ecc96a6 Mon Sep 17 00:00:00 2001
From: Campbell Barton <ideasman42@gmail.com>
Date: Wed, 12 Oct 2011 11:18:46 +0000
Subject: fix for possible buffer overflow bug in BLI_join_dirfile(), recent
 fix didn't account for the case when destination string and dir string
 matched.

---
 source/blender/blenlib/intern/path_util.c | 39 +++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 10 deletions(-)

diff --git a/source/blender/blenlib/intern/path_util.c b/source/blender/blenlib/intern/path_util.c
index b206e275d9a..ab7d082c432 100644
--- a/source/blender/blenlib/intern/path_util.c
+++ b/source/blender/blenlib/intern/path_util.c
@@ -1430,21 +1430,40 @@ void BLI_split_dirfile(const char *string, char *dir, char *file)
 }
 
 /* simple appending of filename to dir, does not check for valid path! */
-void BLI_join_dirfile(char *string, const size_t maxlen, const char *dir, const char *file)
+void BLI_join_dirfile(char *dst, const size_t maxlen, const char *dir, const char *file)
 {
-	int sl_dir;
+	size_t dirlen= BLI_strnlen(dir, maxlen);
 
-	if(string != dir) /* compare pointers */
-		BLI_strncpy(string, dir, maxlen -(file ? 1 : 0));
+	if (dst != dir) {
+		if(dirlen  == maxlen) {
+			memcpy(dst, dir, dirlen);
+			dst[dirlen - 1]= '\0';
+			return; /* dir fills the path */
+		}
+		else {
+			memcpy(dst, dir, dirlen + 1);
+		}
+	}
 
-	if (!file)
-		return;
+	if (dirlen + 1 >= maxlen) {
+		return; /* fills the path */
+	}
 
-	sl_dir= BLI_add_slash(string);
-	
-	if (sl_dir < maxlen) {
-		BLI_strncpy(string + sl_dir, file, maxlen - sl_dir);
+	/* inline BLI_add_slash */
+	if (dst[dirlen - 1] != SEP) {
+		dst[dirlen++]= SEP;
+		dst[dirlen  ]= '\0';
 	}
+
+	if (dirlen >= maxlen) {
+		return; /* fills the path */
+	}
+
+	if (file == NULL) {
+		return;
+	}
+
+	BLI_strncpy(dst + dirlen, file, maxlen - dirlen);
 }
 
 /* like pythons os.path.basename( ) */
-- 
cgit v1.2.3