This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v2] Fix writes past the allocated array bounds in execvpe (BZ#20847)
- From: Andreas Schwab <schwab at linux-m68k dot org>
- To: Adhemerval Zanella <adhemerval dot zanella at linaro dot org>
- Cc: libc-alpha at sourceware dot org
- Date: Mon, 21 Nov 2016 21:10:18 +0100
- Subject: Re: [PATCH v2] Fix writes past the allocated array bounds in execvpe (BZ#20847)
- Authentication-results: sourceware.org; auth=none
- References: <1479755377-12442-1-git-send-email-adhemerval.zanella@linaro.org>
On Nov 21 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
> diff --git a/posix/execvpe.c b/posix/execvpe.c
> index d933f9c..96a12bf5 100644
> --- a/posix/execvpe.c
> +++ b/posix/execvpe.c
> @@ -41,19 +41,20 @@ maybe_script_execute (const char *file, char *const argv[], char *const envp[])
> ptrdiff_t argc = 0;
> while (argv[argc++] != NULL)
> {
> - if (argc == INT_MAX - 1)
> + if (argc == INT_MAX - 2)
> {
> errno = E2BIG;
> return;
> }
> }
>
> - /* Construct an argument list for the shell. */
> - char *new_argv[argc + 1];
> + /* Construct an argument list for the shell. It will contain at minimum 3
> + arguments (current shell, script, and an ending NULL. */
> + char *new_argv[argc + 2];
The array is now always one element too big, unless execvpe was called
with argv[0] == NULL.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5
"And now for something completely different."