+static int fixup_rpath(struct dso *p, char *buf, size_t buf_size)
+{
+ size_t n, l;
+ const char *s, *t, *origin;
+ char *d;
+ if (p->rpath) return 0;
+ if (!p->rpath_orig) return -1;
+ if (!strchr(p->rpath_orig, '$')) {
+ p->rpath = p->rpath_orig;
+ return 0;
+ }
+ n = 0;
+ s = p->rpath_orig;
+ while ((t=strchr(s, '$'))) {
+ if (strncmp(t, "$ORIGIN", 7) && strncmp(t, "${ORIGIN}", 9))
+ return -1;
+ s = t+1;
+ n++;
+ }
+ if (n > SSIZE_MAX/PATH_MAX) return -1;
+
+ if (p->kernel_mapped) {
+ /* $ORIGIN searches cannot be performed for the main program
+ * when it is suid/sgid/AT_SECURE. This is because the
+ * pathname is under the control of the caller of execve.
+ * For libraries, however, $ORIGIN can be processed safely
+ * since the library's pathname came from a trusted source
+ * (either system paths or a call to dlopen). */
+ if (libc.secure)
+ return -1;
+ l = readlink("/proc/self/exe", buf, buf_size);
+ if (l >= buf_size)
+ return -1;
+ buf[l] = 0;
+ origin = buf;
+ } else {
+ origin = p->name;
+ }
+ t = strrchr(origin, '/');
+ l = t ? t-origin : 0;
+ p->rpath = malloc(strlen(p->rpath_orig) + n*l + 1);
+ if (!p->rpath) return -1;
+
+ d = p->rpath;
+ s = p->rpath_orig;
+ while ((t=strchr(s, '$'))) {
+ memcpy(d, s, t-s);
+ d += t-s;
+ memcpy(d, origin, l);
+ d += l;
+ /* It was determined previously that the '$' is followed
+ * either by "ORIGIN" or "{ORIGIN}". */
+ s = t + 7 + 2*(t[1]=='{');
+ }
+ strcpy(d, s);
+ return 0;
+}
+