THRIFT-5932: compiler/cpp: bound saferealpath() output on Windows#3357
Open
neosys007 wants to merge 2 commits intoapache:masterfrom
Open
THRIFT-5932: compiler/cpp: bound saferealpath() output on Windows#3357neosys007 wants to merge 2 commits intoapache:masterfrom
neosys007 wants to merge 2 commits intoapache:masterfrom
Conversation
Jens-G
requested changes
Mar 22, 2026
| if (source_len >= resolved_path_size) { | ||
| return nullptr; | ||
| } | ||
| strcpy(resolved_path, source); |
Contributor
Author
There was a problem hiding this comment.
I would prefer not to truncate here. This path now rejects inputs that do not fit in the destination buffer, so strcpy() matches the intended semantics better than strncpy(): we want a full string copy after the explicit length check, not truncation or zero-padding.
The Windows fallback in saferealpath() still copies either the original path or the GetFullPathNameA() result into resolved_path with strcpy(), but the helper does not know the caller buffer size. Make saferealpath() size-aware, reject paths that do not fit the caller buffer, and keep the existing call sites using their fixed THRIFT_PATH_MAX storage. Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
neosys007
force-pushed
the
codex/thrift-5932-windows-realpath
branch
from
b97cc5c to
72e169c
Compare
Jens-G
reviewed
Mar 24, 2026
| return nullptr; | ||
| } | ||
| memcpy(resolved_path, source, source_len + 1); | ||
|
|
Use strcpy() once the source path has been checked to fit in the\ndestination buffer. This keeps the operation expressed as a string copy,\nwhich is clearer in this code path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR makes the Windows realpath fallback in the Thrift compiler size-aware.
Current head still has a Windows fallback that copies the resolved path back into
resolved_pathwithstrcpy(). That is safe only when the caller buffer is large enough, butsaferealpath()currently has no way to verify that. The compiler call sites all use fixedTHRIFT_PATH_MAXbuffers, so the fallback needs to reject overlong paths before copying them back.The fix changes
saferealpath()to take the destination capacity explicitly and returnnullptrwhen the path does not fit. The existing compiler call sites were updated to passTHRIFT_PATH_MAX.This keeps the change small, makes the contract explicit, and avoids hiding the overflow behind the Windows-specific fallback.
Validation performed locally:
git diff --checkcompiler/cpp/src/thrift/main.ccmain.cccompiles cleanly in syntax-only mode after the signature update.Related Jira: