This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix writes past the allocated array bounds in execvpe (BZ# 20847)
On Nov 21 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
> On 21/11/2016 12:17, Andreas Schwab wrote:
>> On Nov 21 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
>>
>>> For first issue I see so, since it allocates the argument list as:
>>>
>>> 64 /* Count the arguments. */
>>> 65 int argc = 0;
>>> 66 while (argv[argc++])
>>> 67 ;
>>> 68 size_t len = (argc + 1) * sizeof (char *);
>>> 69 char **script_argv;
>>> 70 void *ptr = NULL;
>>> 71 if (__libc_use_alloca (len))
>>> 72 script_argv = alloca (len);
>>> 73 else
>>> 74 script_argv = ptr = malloc (len);
>>>
>>> Taking in consideration only argument list plus one but then writing
>>> argument list plus 2 position on 'scripts_argv'.
>>
>> But the old scripts_argv never writes to new_argv[argc+1]. Here, argc
>> is already including the NULL in the old argv, and scripts_argv only has
>> to prepend one new argument (and replace the old argv[0]).
>
> Right, but then I think it incur in another issue where the resulting new
> argument variable would not contain a final NULL.
scripts_argv first copies argv[argc-1], which is the final NULL.
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."