Obtained from: 1.1.5

getcwd() has two off-by-one bugs in FreeBSD-2.0:

1. getcwd(buf, size) fails when the size is just large enough.
2. getcwd(buf + 1, 1) incorrectly succeeds when the current directory
   is "/".  buf[0] and buf[2] are clobbered.

(I modified Bruce's original patch to return the proper error code
[ERANGE] in the case of #2, but otherwise... -DG)

This program demonstrates the bug:

---
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>

int main(void)
{
    char buf[5];
    int errors;

    errors = 0;
    if (chdir("/tmp") != 0) {
        perror("chdir");
        abort();
    }
    if (getcwd(buf, 5) == NULL) {
        perror("oops, getcwd failed for buffer size = size required");
        ++errors;
    }
    if (chdir("/") != 0) {
        perror("chdir");
        abort();
    }
    buf[0] = 0;
    buf[2] = 1;
    if (getcwd(buf + 1, 1) != NULL) {
        fprintf(stderr,
                "oops, getcwd succeeded for buffer size = one too small\n");
        ++errors;
    }
    if (buf[0] != 0) {
        fprintf(stderr,
                "oops, getcwd scribbled on memory before start of buffer\n");
        ++errors;
    }
    if (buf[2] != 1) {
        fprintf(stderr,
                "oops, getcwd scribbled on memory after end of buffer\n");
        ++errors;
    }
    exit(errors == 0 ? 0 : 1);
}

lib/libc/gen/getcwd.c

@@ -78,6 +78,10 @@ getcwd(pt, size)
 			errno = EINVAL;
 			return (NULL);
 		}
+		if (size == 1) {
+			errno = ERANGE;
+			return (NULL);
+		}
 		ept = pt + size;
 	} else {
 		if ((pt = malloc(ptsize = 1024 - 4)) == NULL)
@@ -187,7 +191,7 @@ getcwd(pt, size)
 		 * Check for length of the current name, preceding slash,
 		 * leading slash.
 		 */
-		if (bpt - pt <= dp->d_namlen + (first ? 1 : 2)) {
+		if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) {
 			size_t len, off;
 
 			if (!ptsize) {